On 4/11/19 12:37 pm, Damien Miller wrote:
scp isn't being exploited, you're just running commands in your own remote shell and all interpretation happens there - scp never sees those characters.
I already understood what was going on. The issue is, scp promises to "cop[y] files between hosts on a network [using] ssh for data transfer." It does not promise to also execute arbitrary commands. When a file copy program is used to execute arbitrary commands, that seems to almost be the definition of an exploit.
The poor quality of command parsing (I mean, clumsy and awkward need to quote and escape characters, even though the shell has already given scp individual arguments) suggests why scp can be exploited in that manner. Although scp is speaking to sshd, obviously somewhere along the line one of the components is translating that into a shell command line and thus losing the identity of arguments. That's just awful, and I should have thought it was not at all necessary. Am I missing something?
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
