Port 22

SSHtranger Things: OpenSSH scp arbitrary file write PoC (CVE-2019-6111)

Disclosure: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

PoC Announcement: https://mobile.twitter.com/HyperionGray/status/1086011569417392129

PoC Code: https://gist.github.com/mehaase/63e45c17bdbbd59e8e68d02ec58f4ca2

Vulnerable versions of scp do not verify the filenames sent by the server, allowing a malicious server to overwrite unintended files. Scp also prints the server’s stderr stream without any sanitization, allowing the server to send ANSI codes to cover up the transfer of the malicious file. This is unpatched in Ubuntu 18.04 LTS as well as other major distros. One user on Twitter says that it won’t be fixed at all in RHEL 56.

This demo shows a user requesting file.txt and the server sends file.txt followed by exploit.txt, then sends ANSI commands to move the cursor so that the transfer of exploit.txt is concealed.

SSHtranger Things PoC Demo

Let us know if you would be interested in a more detailed writeup!

submitted by /u/hyperiongray
[link] [comments]