Bug#327019: ssh: scp allows remote execution of shell commands when semicolon is used in filename

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#327019: ssh: scp allows remote execution of shell commands when semicolon is used in filename
From: Alexey Feldgendler <feldgendler@feldgendler.plesk.ru>
Date: Wed, 07 Sep 2005 12:36:03 +0700
Message-id: <[🔎] E1ECsbL-000879-1H@localhost>
Reply-to: Alexey Feldgendler <feldgendler@feldgendler.plesk.ru>, 327019@bugs.debian.org

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: critical

Here is my testcase:

$ scp remotehost@';uname -a'
Linux pancake 2.6.11-1-686 #1 Mon Jun 20 22:00:38 MDT 2005 i686 GNU/Linux

That line comes from the remote host (I verified this by trying
hostname command instead of uname -a, that gives the name of the
remote host).

I also tried connecting to my own machine this way (localhost@), and
it executes arbitrary commands, too. So I won't put the versions of
packages on the remote host here, because the ssh server on the local
host is vulnerable as well.

I'm not sure that this is a security hole because a user can anyway
connect with ssh and execute arbitrary commands. But it can possibly
be a vulnerability if the user account has a restricted shell, or PAM
restrictions that allow scp but disallow ssh are in effect. I haven't
checked these cases, but I set this bug's severity to critical just in
case it really turns out to be a security hole.

In addition to being or not being a security hole, it's also a major
bug that prevents from transferring files with special characters in
names via scp. The workaround is to escape them with backslashes.
(Because you are typing the scp command itself in a shell, the
backslashes themselves, along with the other special characters, need
to be escaped, too.)

The user that I was authenticating as had /bin/bash as his shell. The
version of bash package is 3.0-15.

Below is my /etc/ssh/sshd_config.

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

Subsystem	sftp	/usr/lib/sftp-server

UsePAM yes



-- System Information:
Debian Release: testing/unstable
  APT prefers testing-proposed-updates
  APT policy: (900, 'testing-proposed-updates'), (900, 'testing'), (900, 'stable'), (800, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages ssh depends on:
ii  adduser                3.67              Add and remove users and groups
ii  debconf                1.4.57            Debian configuration management sy
ii  dpkg                   1.13.11           package maintenance system for Deb
ii  libc6                  2.3.5-6           GNU C Library: Shared libraries an
ii  libpam-modules         0.76-23           Pluggable Authentication Modules f
ii  libpam-runtime         0.76-23           Runtime support for the PAM librar
ii  libpam0g               0.76-23           Pluggable Authentication Modules l
ii  libssl0.9.7            0.9.7e-3          SSL shared libraries
ii  libwrap0               7.6.dbs-8         Wietse Venema's TCP wrappers libra
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library - runtime

ssh recommends no packages.

-- debconf-show failed

Reply to:

Follow-Ups:
- Bug#327019: ssh: scp allows remote execution of shell commands when semicolon is used in filename
  - From: Steve Langasek <vorlon@debian.org>
- Bug#327019: ssh: scp allows remote execution of shell commands when semicolon is used in filename
  - From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
- Bug#327019: ssh: scp allows remote execution of shell commands when semicolon is used in filename
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#242236: fixed with #248125?
Next by Date: Processed: Re: Bug#327019: ssh: scp allows remote execution of shell commands when semicolon is used in filename
Previous by thread: Bug#242236: fixed with #248125?
Next by thread: Bug#327019: ssh: scp allows remote execution of shell commands when semicolon is used in filename
Index(es):
- Date
- Thread