OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases
|
|
SecurityTracker Alert ID: 1015540
|
|
SecurityTracker URL: http://securitytracker.com/id?1015540
|
|
CVE Reference: CVE-2006-0225
(Links to External Site)
|
Date: Jan 25 2006
|
Impact: Execution of arbitrary code via local system, User access via local system
|
Description: A vulnerability was reported in scp in OpenSSH. A local user may be able to obtain elevated privileges in certain cases.
When performing local-to-local copying functions, scp expands shell characters in the filename twice before making a system() call.
A filename that contains specially crafted characters may cause arbitrary commands to be executed.
If scp is used to transfer
untrusted files or directories, a local user may be able to cause arbitrary code to be executed with the privileges of the process
running scp.
The original bug report is available at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026
|
Impact: A local user may be able to obtain elevated privileges in certain cases.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.openssh.org/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 24 Jan 2006 06:41:05 -0500
Subject: OpenSSH SCP vulnerability
|
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026
> CVE-2006-0225 local to local copy uses shell expansion twice
|
|
