SCP stands for secure copy it's a way of copying files between two different machines

using SSH as a sort of background

transport protocol to make the copy

So it's a secure way of copying a file from one remote machine to your local machine or vice versa

Personally I use it all the time to copy files from my laptop to the desktop machines particularly from outside the office and so on

It's a very easy way to do things from the command line

so he talked about SCP the name of a machine and then the file we want to copy so I know it's

Stored at this location remember name and so they want Corey to the local machines. I don't give a machine name

We're just in this case

I'm putting a full stop for the current directory hit return ask me for my password

And it starts copying it in this case. It's going over to wireless network. So it's not going that fast, but it's copying it off

This machine on here. And so we're copying that file from that machine to here

So the books that were sort of disclosed by Harry Sentinel and f-secure

Basically allow a malicious server

When you ask it to copy a file it allows a malicious server to return

Basically any file it likes to your machine. There are some limitations and the client will happily write it into the right thing

even if it's not a file it requested so I could say please download our PI to

Our PI - image GZ from my machine and the server could say here. Here's dot bash profile

and it would copy that into the current directory and if that was the

My home directory that would override my dot bash profile

Which is a script that gets run every time I log into the machine and so the server would be able to pass it down

A file but the next time I logged on would allow the malicious actor who's taking control of the server to sort of

Infect my machine with some code that they wanted to run the way the exploit works. The server is able in certain circumstances to

Not send down the file that the user

requested

But to send something else down and put it in a way that and that it gets the client to put it in a place

where it could potentially

overwrite some files they contain

authorized keys that allow you to log into the system or

Replace a script that gets run a startup like your batch profile. I mean actually this burg dates back way before

SCP existed because it's actually come from an earlier program called RCP, which start was stood for remote

Copy did pretty much the same thing, but unlike SCP. It didn't bother encrypting the data as it went over

He just did a straight transfer. This was written in 1983. It's part of one of the early berkeley

Releases of unix and there's been quite popular until obviously SCP came along in the mid 90s

SCP takes the RTP protocol and basically implements it exactly the same but using a secure transport using ssh

To transfer the data the interesting thing though

Is that both the way that SCP and RCP work is I find a little bit interesting and that when I ran

This command on my machine here SCP it connected to the other machine

But you might think okay talk to the SSH daemon on there

The protis is a server on there and says please send me this file but somebody does

if I run that program again and

I chose a file that was big enough. It would take a while to do that. I'm gripped to see what SCP is doing

So I'm looking all the processes and particularly the ones that are SCP. I

Find the program I ran SCP. Jailer the name of the machine to copy the file

But there's also this other one on the line above and what's actually happening the way

SCP actually work because it makes a standard SSH connection from my laptop to the remote machine or whatever machines are connecting and

It runs the SCP program on the remote machines with a specific flag in this case

It's minus F and then the name of the file that you want to copy

And if we look on this machine just to show the case

Then we can see again that that program is running on that machine

So the way that SCP works it connects to the remote machine and runs

SCP on there

with a flag telling it it's being run on the remote machine and if you look in the source code for SCP you can see

How it does that it detects that flag in it, then those it's going to send a file back over and what SCP does?

Is it sends their over a little header which describes the fire that's going to send and then it just sends the data

Over the standard output the UNIX provides which gets routed over the SSH connection back to the copy of SCP

You're running on machine, which doesn't writes it out the disk

So let's have a look at how that sends things and we can do that

Because if we go back to where we're transferring the file and stop it, we can actually ask SSH or SCP in this case

They give us more information about what's going on and get it to print out

The message isn't is something between thing give us debug information by using the minus V flag. So if we run

SCP again with minus V in there

Then we get all sorts of information about the key exchanges that are happening

It's asking me for my password again, and then eventually we get down here

Where it says I'm sending the command that I want to run so it sent the command

SCP with the minus three and the minus F flags across that's now running on the other machine

We can see it running on there

And then it shows us the command that it received from the copy of SCP running on this thing

so we got the line of text capital C and

then the

permission bytes for the file in this case 0 644 in octal and standard UNIX permissions

We've got the size of the file in bytes three four one zero seven

Nine one one more one in this case a big file and then the file name and then we can see it

Transferring the file and occasionally as it's doing that

We'll see the keys get updated as it changes encryption keys to make sure that we don't lose anything. The problem is

That this line here the ones preceded sync the source code before the SCP client

Just takes the filename that's returned and uses that as the file

It writes to the disk now just do some simple checks it checks that you're not trying to traverse up the directory structure

It checks that you haven't given it an absolute path. But other than that, it just writes that file

to do so if you were to write a malicious piece of software and all we need to do is replace the

SCP command on the remote machine

Don't you do anything more complicated than write a program that?

Returns the right values to compromise the system and then replace the SCP binary on that machine

We've got root access to that server. That would be relatively easy

for us to do

so what we need to do is change the value that

gets sent back and

then this client because he doesn't check that value is a what it asked for or

B make sense beyond some very very simple checks. We'll write that new file

Into the current directory or if you've asked for a recursive copy copy lots of files in different directories

It could write them into other directories or it could even change the permission on the current directory. So it

could be used in certain circumstances to

Enable people who've got control of the server

To push files down onto your client when you use that command

I mean some ways this functionality has to be there because we specify our wild-card and you're copying files

You don't know what their names are

Then the server has to be able to drive the client what files is going to send down?

Otherwise you'd have to know what the files are on the server before you could copy them down

I think the real core the problem here is it's not doing

Perhaps stringent enough checks and that there are certain things that you can send down

for example

It can send down a line that forces the client to change

The permissions of the current directory and it's just not doing quite enough checks

It's relatively simple to fix making sure the checks on the returned file make sense. So for example if we request in one file

That we get that one file if we were dressed it to copy a directory that the files that come down and inside that directory

If we requested a wild-card

to select multiple files that actually

The file names that it's sending to us matched that one cause it's just a matter of putting a few more stringent checks

Into the actual program. Should we be worried too much about this? Well, there are other things we can do

For example, we could use SFTP rather than SCP to do that. It has been patched in certain versions of

OpenSSH now which will be coming out soon certain variants of it's still there and things like PS CP and

winscp on windows

it has the potential if we're not careful that you could do something but I

Think there's another ways around at the moment and something we can patch the software and get around it

But it's interesting because it's sort of the very simple file transfer protocol that was developed for our CP

He was just copied straight over

in the mid-90s when SSH first came along

And he's been left there and these things have been there for the past. Well 30

35 years, I guess almost those six years

Lying there in the various different things, but of course, perhaps people haven't tried to exploit them before

now I've got the token so I can lay the value in AD the valley from emerged or into it and

Store it back and hand the target and now I've got the token again. I can load something into my register

The problem is that suppose we want to do like a big Gaussian blur or really large window. This is going to get slow

really really quickly