关联漏洞
标题:
OpenSSH 操作系统命令注入漏洞
(CVE-2020-15778)
描述:OpenSSH(OpenBSD Secure Shell)是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 8.3p1及之前版本中的scp的scp.c文件存在操作系统命令注入漏洞。该漏洞源于外部输入数据构造操作系统可执行命令过程中,网络系统或产品未正确过滤其中的特殊字符、命令等。攻击者可利用该漏洞执行非法操作系统命令。
介绍
# Write up for CVE id CVE-2020-15778.
# Discoverd by : Chinmay Pandya
>## Email address : cpandya2909@gmail.com
>## Linkedin : www.linkedin.com/in/chinmay-pandya
# Vulnerability title: scp in OpenSSH 8.3p1 allows eval injection.
>## Product: Openssh
>## Affected Component: SCP
>## Vulnerable version: <=openssh-8.3p1
>## Fixed version: -
>## CVE number: CVE-2020-15778
>## Vulnerable line: https://github.com/openssh/openssh-portable/blob/a2855c048b3f4b17d8787bd3f24232ec0cd79abe/scp.c#L989
>## Vulnerability type: Comand Injection / Eval injection (Authenticated)
>## Attack type: Remote attack
>## Discloser timelie:
>- Issue discovered - 9 Jun 2020
>- CVE obtained - 16 Jul 2020
>- Vendor notified - 9 Jun 2020
>- Vendor acknowledgement received - 9 Jun 2020
>- Public disclosure 18 Jul 2020
# About SCP
scp is a program for copying files between computers. It uses the SSH protocol. It is included by default in most Linux and Unix distributions
# Issue
While coping files to remote server, file path is appended at end of local scp command.
For example, if you execute following command
```sh
scp SourceFile user@host:directory/TargetFile
```
it will execute a local command
```sh
scp -t directory/TargetFile
```
At time of creating local scp command, it does not sanitise file name.
An attacker can pass a backtick enabled payload as file name and when local scp command is executed, local shell will also execute backtick enabled payload.
## Example
Execute following command with scp
```sh
scp /sourcefile remoteserver:'`touch /tmp/exploit.sh`/targetfile'
```
After executing this command, go to remote server and you will see in /tmp/ directory that file exploit.sh is present. Putting single quotes in file name is important to prevent payload execution on local shell or using escape character like single quotes in file name can prevent payload execution on local shell
***
**THIS IS AN AUTHENTICATED EXPLOIT AND REQUIRES A VALID SSH / SCP CREDENTIALS TO EXECUTE COMMAND ON REMOTE SERVER**
***
# Openssh reply
>The scp command is a historical protocol (called rcp) which relies upon
that style of argument passing and encounters expansion problems.
>It has proven very difficult to add "security" to the scp model. All
attempts to "detect" and "prevent" anomalous argument transfers stand a
great chance of breaking existing workflows.
>Yes, we recognize it the situation sucks. But we don't want to break the
easy patterns people use scp for, until there is a commonplace replacement.
>People should use rsync or something else instead if they are concerned.
# [Reference]
> Code for SCP - https://github.com/openssh/openssh-portable/blob/master/scp.c
文件快照
[4.0K] /data/pocs/f2aeaac532118be15e933e468b7156ec8aea5156
└── [2.8K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。