Bug#793412: Bug#796314: openssh: copying special crafted filenames executes shell-command
On 2015-08-21 11:35:08 +0200, bgrpt3@toplitzer.net wrote:
> According to [1] special crafted filenames containing control characters
> can cause scp to execute commands in the current shell.
It cannot execute arbitrary shell commands (except if the terminal has
an extension to do that via escape sequences, but without a signature
mechanism, such a feature would be too risky in practice), but it can
do everything what is possible via escape sequences. In practice:
* make the terminal unusable (a terminal reset may be needed, in which
case one also loses all the data that were in it);
* possibly send a copy of the terminal to the default printer, which
may be a shared printer in a lab (this xterm feature is now disabled
by default, but some users may have enabled it because they use it);
* try to exploit another security bug. For instance, one can set the
window title to an arbitrary string, so that this may be a vector
of attack against the X server and the window manager.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: