Bug#327019: marked as done (ssh: scp allows remote execution of shell commands when semicolon is used in filename)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 09 Apr 2022 13:34:58 +0000
with message-id <E1ndBEw-000F6V-8T@fasolo.debian.org>
and subject line Bug#327019: fixed in openssh 1:9.0p1-1
has caused the Debian Bug report #327019,
regarding ssh: scp allows remote execution of shell commands when semicolon is used in filename
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
327019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327019
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ssh: scp allows remote execution of shell commands when semicolon is used in filename
• From: Alexey Feldgendler <feldgendler@feldgendler.plesk.ru>
• Date: Wed, 07 Sep 2005 12:36:03 +0700
• Message-id: <E1ECsbL-000879-1H@localhost>

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: critical

Here is my testcase:

$ scp remotehost@';uname -a'
Linux pancake 2.6.11-1-686 #1 Mon Jun 20 22:00:38 MDT 2005 i686 GNU/Linux

That line comes from the remote host (I verified this by trying
hostname command instead of uname -a, that gives the name of the
remote host).

I also tried connecting to my own machine this way (localhost@), and
it executes arbitrary commands, too. So I won't put the versions of
packages on the remote host here, because the ssh server on the local
host is vulnerable as well.

I'm not sure that this is a security hole because a user can anyway
connect with ssh and execute arbitrary commands. But it can possibly
be a vulnerability if the user account has a restricted shell, or PAM
restrictions that allow scp but disallow ssh are in effect. I haven't
checked these cases, but I set this bug's severity to critical just in
case it really turns out to be a security hole.

In addition to being or not being a security hole, it's also a major
bug that prevents from transferring files with special characters in
names via scp. The workaround is to escape them with backslashes.
(Because you are typing the scp command itself in a shell, the
backslashes themselves, along with the other special characters, need
to be escaped, too.)

The user that I was authenticating as had /bin/bash as his shell. The
version of bash package is 3.0-15.

Below is my /etc/ssh/sshd_config.

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

Subsystem	sftp	/usr/lib/sftp-server

UsePAM yes



-- System Information:
Debian Release: testing/unstable
  APT prefers testing-proposed-updates
  APT policy: (900, 'testing-proposed-updates'), (900, 'testing'), (900, 'stable'), (800, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages ssh depends on:
ii  adduser                3.67              Add and remove users and groups
ii  debconf                1.4.57            Debian configuration management sy
ii  dpkg                   1.13.11           package maintenance system for Deb
ii  libc6                  2.3.5-6           GNU C Library: Shared libraries an
ii  libpam-modules         0.76-23           Pluggable Authentication Modules f
ii  libpam-runtime         0.76-23           Runtime support for the PAM librar
ii  libpam0g               0.76-23           Pluggable Authentication Modules l
ii  libssl0.9.7            0.9.7e-3          SSL shared libraries
ii  libwrap0               7.6.dbs-8         Wietse Venema's TCP wrappers libra
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library - runtime

ssh recommends no packages.

-- debconf-show failed

--- End Message ---

--- Begin Message ---

• To: 327019-close@bugs.debian.org
• Subject: Bug#327019: fixed in openssh 1:9.0p1-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 09 Apr 2022 13:34:58 +0000
• Message-id: <E1ndBEw-000F6V-8T@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:9.0p1-1
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 327019@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 09 Apr 2022 14:14:10 +0100
Source: openssh
Architecture: source
Version: 1:9.0p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 144579 204546 327019 1007822
Changes:
 openssh (1:9.0p1-1) unstable; urgency=medium
 .
   * New upstream release (https://www.openssh.com/releasenotes.html#9.0p1):
     - scp(1): Use the SFTP protocol by default (closes: #144579, #204546,
       #327019). This changes scp's quoting semantics by no longer performing
       wildcard expansion using the remote shell, and (with some server
       versions) no longer expanding ~user paths. The -O option is available
       to use the old protocol. See NEWS.Debian for more details.
     - ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
       exchange method by default ("sntrup761x25519-sha512@openssh.com").
       The NTRU algorithm is believed to resist attacks enabled by future
       quantum computers and is paired with the X25519 ECDH key exchange (the
       previous default) as a backstop against any weaknesses in NTRU Prime
       that may be discovered in the future. The combination ensures that the
       hybrid exchange offers at least as good security as the status quo.
     - sftp-server(8): support the "copy-data" extension to allow server-
       side copying of files/data, following the design in
       draft-ietf-secsh-filexfer-extensions-00.
     - sftp(1): add a "cp" command to allow the sftp client to perform
       server-side file copies.
     - ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output fd
       closes without data in the channel buffer (closes: #1007822).
     - sshd(8): pack pollfd array in server listen/accept loop. Could cause
       the server to hang/spin when MaxStartups > RLIMIT_NOFILE.
     - ssh-keygen(1): avoid NULL deref via the find-principals and
       check-novalidate operations. bz3409 and GHPR307 respectively.
     - scp(1): fix a memory leak in argument processing.
     - sshd(8): don't try to resolve ListenAddress directives in the sshd
       re-exec path. They are unused after re-exec and parsing errors
       (possible for example if the host's network configuration changed)
       could prevent connections from being accepted.
     - sshd(8): when refusing a public key authentication request from a
       client for using an unapproved or unsupported signature algorithm
       include the algorithm name in the log message to make debugging
       easier.
     - ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3)
       parsing of K/M/G/etc quantities.
     - sshd(8): default to not using sandbox when cross compiling. On most
       systems poll(2) does not work when the number of FDs is reduced with
       setrlimit, so assume it doesn't when cross compiling and we can't run
       the test.
   * Remove obsolete FAQ, removed from openssh.com in 2016.
Checksums-Sha1:
 10bef2e8c5736db098294e86fb3de29cd37af262 3347 openssh_9.0p1-1.dsc
 06dd658874dcd22d66311cf5999bd56c614de509 1822183 openssh_9.0p1.orig.tar.gz
 af112ac3c8d4ebd515e71fb6ef4d7633056c11e1 833 openssh_9.0p1.orig.tar.gz.asc
 ce125a7f2ed78c5830b0f0273bce9772df56c64a 176128 openssh_9.0p1-1.debian.tar.xz
Checksums-Sha256:
 ff368f3247c89eea2be10cd2ad2fcb9d0811fc6652c9cab9d01d087203e28fdd 3347 openssh_9.0p1-1.dsc
 03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a 1822183 openssh_9.0p1.orig.tar.gz
 5db3a2eb3e8e9c8ae62527ea55f5a6fa41c395ebd0bbb65f4b3dfebeeee5fa00 833 openssh_9.0p1.orig.tar.gz.asc
 46f24ab534892c55c82ebafdac23564579f9be73a7cc0230730a2e6aa64e17ab 176128 openssh_9.0p1-1.debian.tar.xz
Files:
 7c4fc7db25ae43e139147c863c58dcce 3347 net standard openssh_9.0p1-1.dsc
 5ed8252a0ee379c0f7c9e0d25d32424d 1822183 net standard openssh_9.0p1.orig.tar.gz
 eb64a4f2d204c43658c2d9d3bc6b3a2a 833 net standard openssh_9.0p1.orig.tar.gz.asc
 69841d0ed1008a71168dd4277df50e69 176128 net standard openssh_9.0p1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmJRhtcACgkQOTWH2X2G
UAvu3BAAjS5VRJ+iDTnJzL8wNTKEwfC8pbK3EovhYNXGVZPgYRUSFVHcuCS0NWwR
11TRkiugwBrM60y5ZzNU0N8T7ypn0gTdFf6S3HhN5DxM2IWb+xNmk/27/RPp1LrI
/Ywg3pXGXPnveJvVI9TS/AWBp4n/D7ABqTrD8+H3P33MC70Otgwuw5MvJmD+RM5z
N5C3/q3B8/8ciuW7h8pm/YDKkbxod1oKCJqRPLGGE4f5bqFGh0V3dKQaPS1tnxkj
+6adxCN1ix0Ci3jJurFjFw1QxTITl/PV1kyNiuaBhu2a7tGqV3vs9dt3mD5B7pt3
DEuw3MzEpZoU31sR+uGeksMnYqyxh+4P7o8qOQtP7LMuR/0iS2pwNG+mSDBMp5mq
J4svdzn0dYBut9ic2qr2Aj/Bf/pISTnA8EWr3l9zyN4Oo9QzmtD/PLZ7FNVvCCii
0v5poNVVuZANWKGDCNnhGDOPvIsxKG/IQ+3sU1EUv79dnFvrTDEhzLTLigA5hGH2
cJhD4BbxfMky1SnqMSOKW7MHBH4eKdf7AI83zlXjMPBe4F5xJ113F2BiMJHuvu99
S7fPdWMrhoTXXaB0MCFr1B02lBiJXDG0oho2P6pUXQaWoN5qajy/IJrWryxwfhxM
rYuPGD+QuXhEgTD5q/Gjccdq/FEXExnJDzYskclgJ2+onNOc7i4=
=gUly
-----END PGP SIGNATURE-----

--- End Message ---