Rapid7 Vulnerability & Exploit Database

OpenSSH SCP Traversal Arbitrary File Overwrite

Back to Search

OpenSSH SCP Traversal Arbitrary File Overwrite

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
04/06/2004
Created
07/25/2018
Added
11/26/2007
Modified
08/28/2019

Description

When copying a file from a remote server to a local destination, the scp(1) command uses the filename sent by the server to construct the local path where the file should be written to. The scp(1) command from OpenSSH versions older than 3.9 blindly trusts the filename sent by the server and fails to prevent, for example, directory traversals if a malicious server sends a filename of "../../etc/shadow".

This allows a malicious server to overwrite arbitrary local files, provided that the user running scp(1) has the sufficient permissions. Note that some sources such as the CVE database incorrectly claim this vulnerability has been fixed in OpenSSH 3.4. However the CVS repository clearly shows that it has been fixed in revision 1.114 of ssh/scp.c, which ships with OpenSSH 3.9.

Solution(s)

  • openbsd-openssh-upgrade-3_9

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;