Shulou(Shulou.com)05/31 Report--

Editor to share with you what loopholes in the scp command, I believe most people do not know much, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

On Hacker News, a recently announced scp command vulnerability made headlines. At present, this vulnerability may affect most computers and has been hidden for 35 years before it was discovered!

Recently, someone using the JSch library through Java has found some problems in the system that executes the SCP command.

Usually we execute the command, and the possible actions are as follows:

But since scp does not escape or restrict this path, we can also execute the following command:

In this way, the scp-f command is executed first, followed by the touch / tmp/foo command.

Originally, the author thought that this was a vulnerability in the JSch library, but finally he reported the vulnerability to JSch. In the end, JSch reported that this was a loophole in OpenSSH, and there was the same problem with OpenSSH's SCP command and Rsync.

The maintenance staff of OpenSSH reported that:

Thus it can be seen that this is another normative issue.

In view of this scp vulnerability, it is recommended that you use STFP or rsync-s.

In view of this loophole, someone organized a timeline!

At present, the vulnerability has been fixed, and the upgrade can be downloaded here: https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.

These are all the contents of this article entitled "what are the loopholes in the scp command?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.