OpenSSH scp file overwrite

openssh-scp-file-overwrite (16323)

Medium Risk

Description:

OpenSSH could allow a remote attacker to overwrite or create files on the system, caused by a vulnerability in the scp (secure copy) program. scp is a program that copies files from one host to another on a network. A remote attacker, in control of a malicious scp server, could supply a specially-crafted filename, which would allow the attacker to overwrite or create files on the system with privileges of the victim.

Platforms Affected:

• Conectiva, Linux 1.0.0
• MandrakeSoft, Mandrake Linux 10.0 AMD64
• MandrakeSoft, Mandrake Linux 10.0
• MandrakeSoft, Mandrake Linux 10.1 X86_64
• MandrakeSoft, Mandrake Linux 10.1
• MandrakeSoft, Mandrake Linux 2007.1
• MandrakeSoft, Mandrake Linux 2007.1 X86_64
• MandrakeSoft, Mandrake Linux 2008.0
• MandrakeSoft, Mandrake Linux 2008.0 X86_64
• MandrakeSoft, Mandrake Linux 2008.1 X86_64
• MandrakeSoft, Mandrake Linux 2008.1
• MandrakeSoft, Mandrake Linux LE2005 X86_64
• MandrakeSoft, Mandrake Linux LE2005
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 3.0
• MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft, Mandrake Multi Network Firewall 2.0
• OpenBSD, OpenSSH 3.0
• OpenBSD, OpenSSH 3.0.1
• OpenBSD, OpenSSH 3.0.1p1
• OpenBSD, OpenSSH 3.0.2
• OpenBSD, OpenSSH 3.0.2p1
• OpenBSD, OpenSSH 3.0p1
• OpenBSD, OpenSSH 3.1
• OpenBSD, OpenSSH 3.1p1
• OpenBSD, OpenSSH 3.2
• OpenBSD, OpenSSH 3.2.2p1
• OpenBSD, OpenSSH 3.2.3
• OpenBSD, OpenSSH 3.2.3p1
• OpenBSD, OpenSSH 3.3
• OpenBSD, OpenSSH 3.3p1
• OpenBSD, OpenSSH 3.4
• OpenBSD, OpenSSH 3.4p1
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Enterprise Linux 4 AS
• RedHat, Enterprise Linux 4 WS
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SGI, IRIX 6.5.20f
• SGI, IRIX 6.5.20m
• SGI, IRIX 6.5.21f
• SGI, IRIX 6.5.21m
• SGI, IRIX 6.5.22m
• SGI, IRIX 6.5.23m
• SGI, IRIX 6.5.24m
• SuSE, SuSE Linux
• Turbolinux, Turbolinux 10 Server
• Turbolinux, Turbolinux 7 Server
• Turbolinux, Turbolinux 7 Workstation
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux 8 Workstation
• Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
• Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed

Remedy:

Upgrade to the latest version of OpenSSH (3.8.1p1 or later), available from the OpenSSH Web site. See References.

For Conectiva Linux:
Upgrade to the OpenSSH package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:831 for more information. See References.

Conectiva Linux Enterprise Edition 1: 3.4p1-263 or later

For SGI IRIX:
Upgrade to the latest version of IRIX, as listed in SGI Security Advisory 20041101-01-P. See References.

For Red Hat Linux:
Refer to RHSA-2005:165-03 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (krb5): Refer to RHSA-2005:562-15 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (OpenSSH):
Refer to RHSA-2005:106-04 or RHSA-2005:481-03 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (rsh):
Refer to RHSA-2005:495-02 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

File Manipulation

References:

• CIAC Information Bulletin O-212, Apple Security Update at http://www.ciac.org/ciac/bulletins/o-212.shtml.
• Conectiva Linux Announcement CLSA-2004:831, openssh - Vulnerability in the scp command at http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000831.
• OpenSSH Web site, OpenSSH at http://www.openssh.org.
• BID-9986: RCP, OpenSSH SCP Client File Corruption Vulnerability
• CVE-2004-0175: Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.
• MDKSA-2005:100: Updated rsh packages fix vulnerability
• MDKSA-2005:119: Updated krb5 packages fix multiple vulnerabilities
• MDVSA-2008:191: rsh
• OSVDB ID: 9550: OpenSSH scp Traversal Arbitrary File Overwrite
• RHSA-2005-074: rsh security update
• RHSA-2005-106: openssh security update
• RHSA-2005-165: rsh security update
• RHSA-2005-481: openssh security update
• RHSA-2005-495: rsh security update
• RHSA-2005-562: krb5 security update
• RHSA-2005-567: krb5 security update

Reported:

Mar 26, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page