ISS X-Force Database: openssh-scp-command-execution(24305): OpenSSH SCP shell expansion command execution

OpenSSH SCP shell expansion command execution

openssh-scp-command-execution (24305)

High Risk

Description:

OpenSSH could allow a local attacker to execute arbitrary commands on the system. When the scp component in OpenSSH is used to perform a local-to-local copy, the file name is expanded twice. An attacker could exploit this vulnerability using a specially-crafted file name to execute arbitrary commands on the system with the privileges of the user running scp.

Platforms Affected:

Avaya, Call Management System 12
Avaya, Call Management System 13
Avaya, Call Management System 13.1
Avaya, Call Management System 14
Avaya, Interactive Response 2.0
Canonical, Ubuntu 4.10
Canonical, Ubuntu 5.04
Canonical, Ubuntu 5.10
Gentoo, Linux
HP, HP-UX B.11.00
HP, HP-UX B.11.11
HP, HP-UX B.11.23
MandrakeSoft, Mandrake Linux 10.1 X86_64
MandrakeSoft, Mandrake Linux 10.1
MandrakeSoft, Mandrake Linux 2006
MandrakeSoft, Mandrake Linux 2006 X86_64
MandrakeSoft, Mandrake Linux LE2005
MandrakeSoft, Mandrake Linux LE2005 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft, Mandrake Multi Network Firewall 2.0
Matt Johnston, Dropbear SSH Server 0.47 and prior
Michael Jennings, libast prior to 0.7
Novell, UnitedLinux 1.0
OpenBSD, OpenSSH 2.1.1p4
OpenBSD, OpenSSH 2.2.0p1
OpenBSD, OpenSSH 2.3.0p1
OpenBSD, OpenSSH 2.5.1p1
OpenBSD, OpenSSH 2.5.1p2
OpenBSD, OpenSSH 2.5.2p1
OpenBSD, OpenSSH 2.5.2p2
OpenBSD, OpenSSH 2.9.9p1
OpenBSD, OpenSSH 3.0
OpenBSD, OpenSSH 3.0.1
OpenBSD, OpenSSH 3.0.1p1
OpenBSD, OpenSSH 3.0.2
OpenBSD, OpenSSH 3.0.2p1
OpenBSD, OpenSSH 3.0p1
OpenBSD, OpenSSH 3.1
OpenBSD, OpenSSH 3.1p1
OpenBSD, OpenSSH 3.2
OpenBSD, OpenSSH 3.2.2p1
OpenBSD, OpenSSH 3.2.3p1
OpenBSD, OpenSSH 3.3
OpenBSD, OpenSSH 3.3p1
OpenBSD, OpenSSH 3.4
OpenBSD, OpenSSH 3.4p1
OpenBSD, OpenSSH 3.5
OpenBSD, OpenSSH 3.5p1
OpenBSD, OpenSSH 3.6
OpenBSD, OpenSSH 3.6.1
OpenBSD, OpenSSH 3.6.1p1
OpenBSD, OpenSSH 3.6.1p2
OpenBSD, OpenSSH 3.7
OpenBSD, OpenSSH 3.7.1
OpenBSD, OpenSSH 3.7.1p2
OpenBSD, OpenSSH 3.8
OpenBSD, OpenSSH 3.8.1
OpenBSD, OpenSSH 3.8.1p1
OpenBSD, OpenSSH 3.9
OpenBSD, OpenSSH 3.9.1
OpenBSD, OpenSSH 3.9.1p1
OpenBSD, OpenSSH 4.0p1
OpenBSD, OpenSSH 4.1p1
OpenBSD, OpenSSH 4.2p1
OpenPKG, OpenPKG 2.3
OpenPKG, OpenPKG 2.4
OpenPKG, OpenPKG 2.5
OpenPKG, OpenPKG CURRENT
RedHat, Enterprise Linux 2.1 WS
RedHat, Enterprise Linux 2.1 AS
RedHat, Enterprise Linux 2.1 ES
RedHat, Enterprise Linux 3 ES
RedHat, Enterprise Linux 3 AS
RedHat, Enterprise Linux 3 WS
RedHat, Enterprise Linux 3 Desktop
RedHat, Enterprise Linux 4 ES
RedHat, Enterprise Linux 4 AS
RedHat, Enterprise Linux 4 WS
RedHat, Enterprise Linux 4 Desktop
RedHat, Linux Advanced Workstation 2.1 Itanium
Sun, Solaris 10 x86
Sun, Solaris 10 SPARC
Sun, Solaris 9 x86
Sun, Solaris 9 SPARC
SuSE, Linux Enterprise Server 8
SuSE, Linux Enterprise Server 9
SuSE, SuSE Linux 10.0
SuSE, SuSE Linux 9.1
SuSE, SuSE Linux 9.2
SuSE, SuSE Linux 9.3
SuSE, SuSE Linux Desktop 1.0
SuSE, SuSE SLES 9
Turbolinux, Turbolinux 10 Server
Turbolinux, Turbolinux 10 Server x64 Ed
Turbolinux, Turbolinux FUJI
Turbolinux, Turbolinux Appliance Server 2.0

Remedy:

Upgrade to the latest version of Mac OS X (10.4.9 or later) or apply Apple Security Update 2007-003. See References.

For Fedora Core 4:
Refer to Fedora Update Notification FEDORA-2006-056 for upgrade information. See References.

For Gentoo Linux:
Refer to GLSA 200602-11 for upgrade information. See References.

For Red Hat Linux:
Refer to RHSA-2006:0044-14 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux 2.1:
Refer to RHSA-2006:0698-8 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-255-1 for patch, upgrade, or suggested workaround information. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2006.003 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2006:008 for patch, upgrade, or suggested workaround information. See References.

For HP-UX Secure Shell:
Refer to HPSBUX02178 SSRT061267 for patch, upgrade, or suggested workaround information. See References.

For Solaris (scp1):
Refer to Sun Alert ID: 102961 for patch, upgrade, or suggested workaround information. See References.

For Avaya (scp):
Refer to ASA-2007-246 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Privileges

References:

Apple Mac OS X Web site, Apple - Apple - Mac OS X - Leopard Sneak Peek at http://www.apple.com/macosx/leopard/.
BugTraq Mailing List, Tue Dec 05 2006 - 13:41:51 CST , HPSBUX02178 SSRT061267 rev.1 - HP-UX Secure Shell Remote Denial of Service (DoS) at http://archives.neohapsis.com/archives/bugtraq/2006-12/0091.html.
Fedora Update Notification FEDORA-2006-056, Fedora Core 4 Update: openssh-4.2p1-fc4.10 at https://www.redhat.com/archives/fedora-announce-list/2006-January/msg00062.html.
Gentoo Bugzilla Bug 119232, net-misc/{openssh|dropbear} metacharacter expansion in scp (CVE-2006-0225) at http://bugs.gentoo.org/show_bug.cgi?id=119232.
HPSBUX02178 SSRT061267, HP-UX Secure Shell Remote Denial of Service (DoS) at http://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00815112.
IBM Systems Support Web site, Support for HMC at https://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v61.Readme.html#MH01110.
Mac OS X 10.4.9 and Security Update 2007-003, About the security content of Mac OS X 10.4.9 and Security Update 2007-003 at http://docs.info.apple.com/article.html?artnum=305214.
Red Hat Bugzilla Bug 174026, CVE-2006-0225 local to local copy uses shell expansion twice at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026.
Sun Alert ID: 102961, Security Vulnerability in scp(1) May Allow Execution of Unintended Commands at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1.
ASA-2006-158: openssh security update (RHSA-2006-0044)
ASA-2006-174: openssh security update (RHSA-2006-0298)
ASA-2006-262: HP-UX Secure Shell Remote Denial of Service (HPSBUX02178)
ASA-2007-246: Security Vulnerability in scp(1) May Allow Execution of Unintended Commands (Sun 102961)
BID-16369: RCP Shell Utility Arbitrary Command Execution Vulnerability
CVE-2006-0225: scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
GLSA-200602-11: OpenSSH, Dropbear: Insecure use of system() call
MDKSA-2006:034: Updated openssh packages fix vulnerability
OpenPKG-SA-2006.003: OpenSSH
OSVDB ID: 22692: OpenSSH scp Command Line Filename Processing Command Injection
RHSA-2006-0044: openssh security update
RHSA-2006-0298: openssh security update
RHSA-2006-0698: openssh security update
SA18579: OpenSSH scp Command Line Shell Command Injection
SA18964: Dropbear SSH Server scp Command Line Shell Command Injection
SA20723: IBM HMC Sendmail and OpenSSH Vulnerabilities
SA21492: Avaya Products OpenSSH scp Shell Command Injection
SA21724: Avaya Products OpenSSH Shell Command Injection and Security Bypass
SA23340: Avaya PDS HP-UX Secure Shell / OpenSSL Multiple Vulnerabilities
SA23680: VMWare ESX Server Multiple Vulnerabilities
SA24479: Mac OS X Security Update Fixes Multiple Vulnerabilities
SA25607: Sun Solaris scp Command Line Shell Command Injection
SA25936: Avaya CMS / IR Solaris scp Command Line Shell Command Injection
SECTRACK ID: 1015540: OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases
SUSE-SA:2006:008: openssh scponly privilege escalation

Reported:

Jan 24, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page