Security news that informs and inspires

Decades-Old Flaws Found in SCP Clients


The SCP clients in a number of Linux distributions have a pair of vulnerability that an attacker could use to write arbitrary malicious files to the target directory on the client machine and change the permissions on the directory to allow further compromises. The bugs are 35 years old, but have just now been brought to light.

SCP (secure copy protocol) is an older network protocol that’s implemented in many Linux distributions. It uses SSH for file transfers and users can employ SCP to upload files to or download files from a remote server. One of the vulnerabilities in SCP, discovered by researcher Harry Sintonen of F-Secure, is a result of the clients failing to verify the validity of the objects that are returned to it after a download request. The upshot of that is that an attacker who controls the server, or has a man-in-the-middle position on the network, can drop arbitrary files into the directory from which the user runs SCP.

The vulnerability affects the SCP client implementations in Debian, Red Hat, and SUSE Linux, OpenSSH version 7.9 and earlier, as well as some versions of WinSCP.

“Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys),” the advisory from Sintonen says.

A similar vulnerability in the SCP client in SSH was disclosed in 2000, a directory traversal bug that was fixed at the time.

The second vulnerability that Sintonen discovered lies in the way that SCP clients check the name of the directory to which files are being transferred.

“The scp client allows server to modify permissions of the target directory by using empty ("D0777 0 \n") or dot ("D0777 0 .\n") directory name,” the advisory says.

That vulnerability affects OpenSSH and WinSCP version 5.13 and earlier.

Sintonen also uncovered two less-severe vulnerabilities that can be used to manipulate the output of the client and potentially disguise the inclusion of other files in a download from the server.