PoC Announcement: https://mobile.twitter.com/HyperionGray/status/1086011569417392129
Vulnerable versions of scp do not verify the filenames sent by the server, allowing a malicious server to overwrite unintended files. Scp also prints the server’s stderr stream without any sanitization, allowing the server to send ANSI codes to cover up the transfer of the malicious file. This is unpatched in Ubuntu 18.04 LTS as well as other major distros. One user on Twitter says that it won’t be fixed at all in RHEL 5⁄6.
This demo shows a user requesting
file.txt and the server sends
file.txt followed by
exploit.txt, then sends ANSI commands to move the cursor so that the transfer of
exploit.txt is concealed.
Let us know if you would be interested in a more detailed writeup!