When copying a file from a remote server to a local destination, the scp(1) command uses the filename sent by the server to construct the local path where the file should be written to. The scp(1) command from OpenSSH versions older than 3.9 blindly trusts the filename sent by the server and fails to prevent, for example, directory traversals if a malicious server sends a filename of "../../etc/shadow".
This allows a malicious server to overwrite arbitrary local files, provided that the user running scp(1) has the sufficient permissions. Note that some sources such as the CVE database incorrectly claim this vulnerability has been fixed in OpenSSH 3.4. However the CVS repository clearly shows that it has been fixed in revision 1.114 of ssh/scp.c, which ships with OpenSSH 3.9.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center