Subtitles section Play video Print subtitles Earlier this week. There was a sort of announcement about a bug in a program called SCP SCP stands for secure copy it's a way of copying files between two different machines using SSH as a sort of background transport protocol to make the copy So it's a secure way of copying a file from one remote machine to your local machine or vice versa Personally I use it all the time to copy files from my laptop to the desktop machines particularly from outside the office and so on It's a very easy way to do things from the command line so he talked about SCP the name of a machine and then the file we want to copy so I know it's Stored at this location remember name and so they want Corey to the local machines. I don't give a machine name We're just in this case I'm putting a full stop for the current directory hit return ask me for my password And it starts copying it in this case. It's going over to wireless network. So it's not going that fast, but it's copying it off This machine on here. And so we're copying that file from that machine to here So the books that were sort of disclosed by Harry Sentinel and f-secure Basically allow a malicious server When you ask it to copy a file it allows a malicious server to return Basically any file it likes to your machine. There are some limitations and the client will happily write it into the right thing even if it's not a file it requested so I could say please download our PI to Our PI - image GZ from my machine and the server could say here. Here's dot bash profile and it would copy that into the current directory and if that was the My home directory that would override my dot bash profile Which is a script that gets run every time I log into the machine and so the server would be able to pass it down A file but the next time I logged on would allow the malicious actor who's taking control of the server to sort of Infect my machine with some code that they wanted to run the way the exploit works. The server is able in certain circumstances to Not send down the file that the user requested But to send something else down and put it in a way that and that it gets the client to put it in a place where it could potentially overwrite some files they contain authorized keys that allow you to log into the system or Replace a script that gets run a startup like your batch profile. I mean actually this burg dates back way before SCP existed because it's actually come from an earlier program called RCP, which start was stood for remote Copy did pretty much the same thing, but unlike SCP. It didn't bother encrypting the data as it went over He just did a straight transfer. This was written in 1983. It's part of one of the early berkeley Releases of unix and there's been quite popular until obviously SCP came along in the mid 90s SCP takes the RTP protocol and basically implements it exactly the same but using a secure transport using ssh To transfer the data the interesting thing though Is that both the way that SCP and RCP work is I find a little bit interesting and that when I ran This command on my machine here SCP it connected to the other machine But you might think okay talk to the SSH daemon on there The protis is a server on there and says please send me this file but somebody does if I run that program again and I chose a file that was big enough. It would take a while to do that. I'm gripped to see what SCP is doing So I'm looking all the processes and particularly the ones that are SCP. I Find the program I ran SCP. Jailer the name of the machine to copy the file But there's also this other one on the line above and what's actually happening the way SCP actually work because it makes a standard SSH connection from my laptop to the remote machine or whatever machines are connecting and It runs the SCP program on the remote machines with a specific flag in this case It's minus F and then the name of the file that you want to copy And if we look on this machine just to show the case Then we can see again that that program is running on that machine So the way that SCP works it connects to the remote machine and runs SCP on there with a flag telling it it's being run on the remote machine and if you look in the source code for SCP you can see How it does that it detects that flag in it, then those it's going to send a file back over and what SCP does? Is it sends their over a little header which describes the fire that's going to send and then it just sends the data Over the standard output the UNIX provides which gets routed over the SSH connection back to the copy of SCP You're running on machine, which doesn't writes it out the disk So let's have a look at how that sends things and we can do that Because if we go back to where we're transferring the file and stop it, we can actually ask SSH or SCP in this case They give us more information about what's going on and get it to print out The message isn't is something between thing give us debug information by using the minus V flag. So if we run SCP again with minus V in there Then we get all sorts of information about the key exchanges that are happening It's asking me for my password again, and then eventually we get down here Where it says I'm sending the command that I want to run so it sent the command SCP with the minus three and the minus F flags across that's now running on the other machine We can see it running on there And then it shows us the command that it received from the copy of SCP running on this thing so we got the line of text capital C and then the permission bytes for the file in this case 0 644 in octal and standard UNIX permissions We've got the size of the file in bytes three four one zero seven Nine one one more one in this case a big file and then the file name and then we can see it Transferring the file and occasionally as it's doing that We'll see the keys get updated as it changes encryption keys to make sure that we don't lose anything. The problem is That this line here the ones preceded sync the source code before the SCP client Just takes the filename that's returned and uses that as the file It writes to the disk now just do some simple checks it checks that you're not trying to traverse up the directory structure It checks that you haven't given it an absolute path. But other than that, it just writes that file to do so if you were to write a malicious piece of software and all we need to do is replace the SCP command on the remote machine Don't you do anything more complicated than write a program that? Returns the right values to compromise the system and then replace the SCP binary on that machine We've got root access to that server. That would be relatively easy for us to do so what we need to do is change the value that gets sent back and then this client because he doesn't check that value is a what it asked for or B make sense beyond some very very simple checks. We'll write that new file Into the current directory or if you've asked for a recursive copy copy lots of files in different directories It could write them into other directories or it could even change the permission on the current directory. So it could be used in certain circumstances to Enable people who've got control of the server To push files down onto your client when you use that command I mean some ways this functionality has to be there because we specify our wild-card and you're copying files You don't know what their names are Then the server has to be able to drive the client what files is going to send down? Otherwise you'd have to know what the files are on the server before you could copy them down I think the real core the problem here is it's not doing Perhaps stringent enough checks and that there are certain things that you can send down for example It can send down a line that forces the client to change The permissions of the current directory and it's just not doing quite enough checks It's relatively simple to fix making sure the checks on the returned file make sense. So for example if we request in one file That we get that one file if we were dressed it to copy a directory that the files that come down and inside that directory If we requested a wild-card to select multiple files that actually The file names that it's sending to us matched that one cause it's just a matter of putting a few more stringent checks Into the actual program. Should we be worried too much about this? Well, there are other things we can do For example, we could use SFTP rather than SCP to do that. It has been patched in certain versions of OpenSSH now which will be coming out soon certain variants of it's still there and things like PS CP and winscp on windows it has the potential if we're not careful that you could do something but I Think there's another ways around at the moment and something we can patch the software and get around it But it's interesting because it's sort of the very simple file transfer protocol that was developed for our CP He was just copied straight over in the mid-90s when SSH first came along And he's been left there and these things have been there for the past. Well 30 35 years, I guess almost those six years Lying there in the various different things, but of course, perhaps people haven't tried to exploit them before now I've got the token so I can lay the value in AD the valley from emerged or into it and Store it back and hand the target and now I've got the token again. I can load something into my register The problem is that suppose we want to do like a big Gaussian blur or really large window. This is going to get slow really really quickly
A2 scp file machine copy ssh directory Secure Copy Vulnerability (SCP) - Computerphile 4 0 林宜悉 posted on 2020/03/27 More Share Save Report Video vocabulary