OpenSSH SCP shell expansion command execution

openssh-scp-command-execution (24305)

High Risk

Description:

OpenSSH could allow a local attacker to execute arbitrary commands on the system. When the scp component in OpenSSH is used to perform a local-to-local copy, the file name is expanded twice. An attacker could exploit this vulnerability using a specially-crafted file name to execute arbitrary commands on the system with the privileges of the user running scp.

Consequences:

Gain Privileges

Remedy:

Upgrade to the latest version of Mac OS X (10.4.9 or later) or apply Apple Security Update 2007-003. See References.

For Fedora Core 4:
Refer to Fedora Update Notification FEDORA-2006-056 for upgrade information. See References.

For Gentoo Linux:
Refer to GLSA 200602-11 for upgrade information. See References.

For Red Hat Linux:
Refer to RHSA-2006:0044-14 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux 2.1:
Refer to RHSA-2006:0698-8 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-255-1 for patch, upgrade, or suggested workaround information. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2006.003 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2006:008 for patch, upgrade, or suggested workaround information. See References.

For HP-UX Secure Shell:
Refer to HPSBUX02178 SSRT061267 for patch, upgrade, or suggested workaround information. See References.

For Solaris (scp1):
Refer to Sun Alert ID: 102961 for patch, upgrade, or suggested workaround information. See References.

For Avaya (scp):
Refer to ASA-2007-246 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References:

• Apple Mac OS X Web site: Apple - Apple - Mac OS X - Leopard Sneak Peek.
• BugTraq Mailing List, Tue Dec 05 2006 - 13:41:51 CST : HPSBUX02178 SSRT061267 rev.1 - HP-UX Secure Shell Remote Denial of Service (DoS).
• Fedora Update Notification FEDORA-2006-056: Fedora Core 4 Update: openssh-4.2p1-fc4.10.
• Gentoo Bugzilla Bug 119232: net-misc/{openssh|dropbear} metacharacter expansion in scp (CVE-2006-0225).
• HPSBUX02178 SSRT061267: HP-UX Secure Shell Remote Denial of Service (DoS) .
• IBM Systems Support Web site: Support for HMC.
• Mac OS X 10.4.9 and Security Update 2007-003: About the security content of Mac OS X 10.4.9 and Security Update 2007-003.
• Red Hat Bugzilla Bug 174026: CVE-2006-0225 local to local copy uses shell expansion twice.
• Sun Alert ID: 102961: Security Vulnerability in scp(1) May Allow Execution of Unintended Commands.
• ASA-2006-158: openssh security update (RHSA-2006-0044)
• ASA-2006-174: openssh security update (RHSA-2006-0298)
• ASA-2006-262: HP-UX Secure Shell Remote Denial of Service (HPSBUX02178)
• ASA-2007-246: Security Vulnerability in scp(1) May Allow Execution of Unintended Commands (Sun 102961)
• BID-16369: RCP Shell Utility Arbitrary Command Execution Vulnerability
• CVE-2006-0225: scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
• GLSA-200602-11: OpenSSH, Dropbear: Insecure use of system() call
• MDKSA-2006:034: Updated openssh packages fix vulnerability
• OpenPKG-SA-2006.003: OpenSSH
• OSVDB ID: 22692: OpenSSH scp Command Line Filename Processing Command Injection
• RHSA-2006-0044: openssh security update
• RHSA-2006-0298: openssh security update
• RHSA-2006-0698: openssh security update
• SA18579: OpenSSH scp Command Line Shell Command Injection
• SA18964: Dropbear SSH Server scp Command Line Shell Command Injection
• SA20723: IBM HMC Sendmail and OpenSSH Vulnerabilities
• SA21492: Avaya Products OpenSSH scp Shell Command Injection
• SA21724: Avaya Products OpenSSH Shell Command Injection and Security Bypass
• SA23340: Avaya PDS HP-UX Secure Shell / OpenSSL Multiple Vulnerabilities
• SA23680: VMWare ESX Server Multiple Vulnerabilities
• SA24479: Mac OS X Security Update Fixes Multiple Vulnerabilities
• SA25607: Sun Solaris scp Command Line Shell Command Injection
• SA25936: Avaya CMS / IR Solaris scp Command Line Shell Command Injection
• SECTRACK ID: 1015540: OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases
• SUSE-SA:2006:008: openssh scponly privilege escalation

Platforms Affected:

• Avaya Call Management System 12
• Avaya Call Management System 13
• Avaya Call Management System 13.1
• Avaya Call Management System 14
• Avaya Interactive Response 2.0
• Canonical Ubuntu 4.10
• Canonical Ubuntu 5.04
• Canonical Ubuntu 5.10
• Gentoo Linux
• HP HP-UX B.11.00
• HP HP-UX B.11.11
• HP HP-UX B.11.23
• MandrakeSoft Mandrake Linux 10.1
• MandrakeSoft Mandrake Linux 10.1 X86_64
• MandrakeSoft Mandrake Linux 2006
• MandrakeSoft Mandrake Linux 2006 X86_64
• MandrakeSoft Mandrake Linux LE2005
• MandrakeSoft Mandrake Linux LE2005 X86_64
• MandrakeSoft Mandrake Linux Corporate Server 3.0
• MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft Mandrake Multi Network Firewall 2.0
• Matt Johnston Dropbear SSH Server 0.47 and prior
• Michael Jennings libast prior to 0.7
• Novell UnitedLinux 1.0
• OpenBSD OpenSSH 2.1.1p4
• OpenBSD OpenSSH 2.2.0p1
• OpenBSD OpenSSH 2.3.0p1
• OpenBSD OpenSSH 2.5.1p1
• OpenBSD OpenSSH 2.5.1p2
• OpenBSD OpenSSH 2.5.2p1
• OpenBSD OpenSSH 2.5.2p2
• OpenBSD OpenSSH 2.9.9p1
• OpenBSD OpenSSH 3.0
• OpenBSD OpenSSH 3.0.1
• OpenBSD OpenSSH 3.0.1p1
• OpenBSD OpenSSH 3.0.2
• OpenBSD OpenSSH 3.0.2p1
• OpenBSD OpenSSH 3.0p1
• OpenBSD OpenSSH 3.1
• OpenBSD OpenSSH 3.1p1
• OpenBSD OpenSSH 3.2
• OpenBSD OpenSSH 3.2.2p1
• OpenBSD OpenSSH 3.2.3p1
• OpenBSD OpenSSH 3.3
• OpenBSD OpenSSH 3.3p1
• OpenBSD OpenSSH 3.4
• OpenBSD OpenSSH 3.4p1
• OpenBSD OpenSSH 3.5
• OpenBSD OpenSSH 3.5p1
• OpenBSD OpenSSH 3.6
• OpenBSD OpenSSH 3.6.1
• OpenBSD OpenSSH 3.6.1p1
• OpenBSD OpenSSH 3.6.1p2
• OpenBSD OpenSSH 3.7
• OpenBSD OpenSSH 3.7.1
• OpenBSD OpenSSH 3.7.1p2
• OpenBSD OpenSSH 3.8
• OpenBSD OpenSSH 3.8.1
• OpenBSD OpenSSH 3.8.1p1
• OpenBSD OpenSSH 3.9
• OpenBSD OpenSSH 3.9.1
• OpenBSD OpenSSH 3.9.1p1
• OpenBSD OpenSSH 4.0p1
• OpenBSD OpenSSH 4.1p1
• OpenBSD OpenSSH 4.2p1
• OpenPKG OpenPKG 2.3
• OpenPKG OpenPKG 2.4
• OpenPKG OpenPKG 2.5
• OpenPKG OpenPKG CURRENT
• RedHat Enterprise Linux 2.1 WS
• RedHat Enterprise Linux 2.1 AS
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 3 ES
• RedHat Enterprise Linux 3 AS
• RedHat Enterprise Linux 3 WS
• RedHat Enterprise Linux 3 Desktop
• RedHat Enterprise Linux 4 ES
• RedHat Enterprise Linux 4 AS
• RedHat Enterprise Linux 4 WS
• RedHat Enterprise Linux 4 Desktop
• RedHat Linux Advanced Workstation 2.1 Itanium
• Sun Solaris 10 x86
• Sun Solaris 10 SPARC
• Sun Solaris 9 x86
• Sun Solaris 9 SPARC
• SuSE Linux Enterprise Server 8
• SuSE Linux Enterprise Server 9
• SUSE SuSE Linux 10.0
• SUSE SuSE Linux 9.1
• SUSE SuSE Linux 9.2
• SUSE SuSE Linux 9.3
• SuSE SuSE Linux Desktop 1.0
• SuSE SuSE SLES 9
• Turbolinux Turbolinux 10 Server
• Turbolinux Turbolinux 10 Server x64 Ed
• Turbolinux Turbolinux FUJI
• Turbolinux Turbolinux Appliance Server 2.0

Reported:

Jan 24, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page