CVSS 7.8 CVE-2020-15778
CVSS 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
DISPUTED scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of “anomalous argument transfers” because that could “stand a great chance of breaking existing workflows.”
Description
Note
The described behavior is not a vulnerability, but the usual procedure for applications that communicate via SSH.
This command execution is similar to that described in CVE-2019-6109. However, because it is not a bug in the “scp” protocol, this CVE entry is marked as disputed.
SCP starts an application on the remote server, which is then used for communication.
When starting the communication, any parameters can be passed. Because they are executed by the standard shell, it is possible to use arbitrary functions of this shell. This includes functions like “command expansion” and similar.
This behavior is similar to execute following command:
$ ssh remoteserver -C "ls"
In this case a remote command is executed. This command uses the same method as the scp command when starting the scp server component.
Discloser information
Discovered by: Chinmay Pandya
Email address: cpandya2909@gmail.com
Source: cpandya2909/CVE-2020-15778
Timeline
Issue discovered - 9 Jun 2020
CVE obtained - 16 Jul 2020
Vendor notified - 9 Jun 2020
Vendor acknowledgement received - 9 Jun 2020
Public disclosure 18 Jul 2020
About SCP
scp is a program for copying files between computers. It uses the SSH protocol. It is included by default in most Linux and Unix distributions.
Issue
While coping files to remote server, file path is appended at end of local scp command. For example, if you execute following command
scp SourceFile user@host:directory/TargetFile
it will execute a local command
scp -t directory/TargetFile
At time of creating local scp command, it does not sanitize file name. An attacker can pass a backtick enabled payload as file name and when local scp command is executed, local shell will also execute backtick enabled payload.
Example
Execute following command with scp
scp /sourcefile remoteserver:'`touch /tmp/exploit.sh`/targetfile'
After executing this command, go to remote server and you will see in /tmp/ directory that file exploit.sh is present. Putting single quotes in file name is important to prevent payload execution on local shell or using escape character like single quotes in file name can prevent payload execution on local shell
Openssh reply
Note
The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add “security” to the scp model. All attempts to “detect” and “prevent” anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don’t want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.
Test with SSH-MITM
The man in the middle server is able to modify the sent command. This allows to execute arbitrary commands as the user on the remote server without the need to open a shell.
To inject additional commands during a file transfer from the client to the server you have to start ssh-mitm with following arguments:
$ ssh-mitm server --scp-interface replace-command \
--scp-append-string '`touch /home/testuser/exploit.sh`'
On the client side, the scp file transfer is started with following command:
scp -P 10022 /bin/bash testuser@localhost:'/tmp/target'