Shulou(Shulou.com)05/31 Report--

This article shows you what the OpenSSH command injection vulnerability CVE-2020-15778 notice is like, the content is concise and easy to understand, can definitely make your eyes bright, through the detailed introduction of this article, I hope you can get something.

1. Summary of vulnerabilities

Researcher Chinmay Pandya discovered a loophole in Openssh on June 9, 2020, which was made public on July 18, 2020. Scp in OpenSSH's 8.3p1 allows commands to be injected into the scp.c remote function, which can be exploited by an attacker to execute arbitrary commands. At present, most linux systems are affected. We are convinced that the security research team assesses and notifies vulnerabilities based on their importance and impact.

II. Vulnerability Analysis 2.1introduction of OpenSSH

OpenSSH is an open source implementation for remote login using the SSH protocol. Prevent eavesdropping, connection hijacking and other attacks by encrypting interactive traffic. OpenSSH is developed by some developers on the OpenBSD project, is provided under a BSD-style license, and has been integrated into many commercial products.

2.2 vulnerability description

Researcher Chinmay Pandya found a command injection vulnerability in the scp component of openssh. Scp in OpenSSH's 8.3p1 allows commands to be injected into the scp.c remote function, which can be exploited by an attacker to execute arbitrary commands. At present, most linux systems are affected.

2.2.1 introduction to the scp command

Scp is the abbreviation of secure copy. In linux system, scp is used to copy files and directories between linux, and to carry out secure remote file copy commands based on ssh login. This command is implemented by scp.c of openssh and other related code.

2.2.2 vulnerability recurrence

I am convinced that Qianlimu Lab conducted poc verification at the first time when poc was made public, confirming that the poc currently disclosed on the Internet has the ability to exploit vulnerabilities, as shown in the figure:

2.2.3 poc analysis

When copying a file to a remote host, the path to the file is appended to the local scp command, and when the local scp command is executed, scp does not check, filter, and clear the file name. This allows the local shell to execute commands in backquotes when an attacker executes a valid scp command with backquotes.

III. Scope of influence

[affected version]

Openssh

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.