正文
file to victim's home directory when the victim performs scp operation from the
server. The transfer of extra files is hidden by sending ANSI control sequences
via stderr. For example:
user@local:~$ scp user@remote:readme.txt .
readme.txt 100% 494 1.6KB/s 00:00
user@local:~$
2. Once the victim launches a new shell, the malicious commands in .bash_aliases get
executed.
*) Man-in-the-Middle attack does require the victim to accept the wrong host
fingerprint.
Vulnerabilities
---------------
1. CWE-20: scp client improper directory name validation [CVE-2018-20685]
The scp client allows server to modify permissions of the target directory by using empty
("D0777 0 \n") or dot ("D0777 0 .\n") directory name.
2. CWE-20: scp client missing received object name validation [CVE-2019-6111]
Due to the scp implementation being derived from 1983 rcp [1], the server chooses which
files/directories are sent to the client. However, scp client only perform cursory
validation of the object name returned (only directory traversal attacks are prevented).
A malicious scp server can overwrite arbitrary files in the scp client target directory.
If recursive operation (-r) is performed, the server can manipulate subdirectories
as well (for example overwrite .ssh/authorized_keys).
