From: Russ Allbery <rra@debian.org>

Date: Thu, 17 Jan 2019 19:21:40 -0800

Subject: Verify scp command options

ESnet discovered a security vulnerability in the scp backend for

rssh.  Since the arguments to scp on the server side were not

checked, the client could pass in arbitrary scp command-line flags,

including setting arbitrary scp options.  This allows setting the

option PKCS11Provider, which loads and executes code from a shared

module.

Even if the -o flag is blocked, this is still possible via -F to

load an already-uploaded ssh configuration file, or, if .ssh/config

is writable, by just uploading that configuration file directly

first.

Attempt to protect against this attack by checking the command line

of scp and only allowing the options that are passed to the server

end of the connection.  Require either -f or -t be given, which

disables scp's attempts to connect to a remote host.  Allow these as

-pf and -pt, which are sent by libssh2.

Debian Bug#919623

---

 util.c | 44 ++++++++++++++++++++++++++++++++++++++++++--

 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/util.c b/util.c

index dc8c8fb..4203eac 100644

--- a/util.c

+++ b/util.c

@@ -266,6 +266,43 @@ static int rsync_okay( char **vec )

 }

+/*

+ * scp_okay() - take the command line and check that it is a hopefully-safe scp

+ *		server command line, accepting only very specific options.

+ *		Returns FALSE if the command line should not be allowed, TRUE

+ *		if it is okay.

+ */

+static int scp_okay( char **vec )

+{

+	int saw_f_or_t = FALSE;

+

+	for ( vec++; vec && *vec; vec++ ){

+		/* Allowed options. */

+		if ( strcmp(*vec, "-v") == 0 ) continue;

+		if ( strcmp(*vec, "-r") == 0 ) continue;

+		if ( strcmp(*vec, "-p") == 0 ) continue;

+		if ( strcmp(*vec, "-d") == 0 ) continue;

+		if ( strcmp(*vec, "-f") == 0 || strcmp(*vec, "-pf") == 0 ){

+			saw_f_or_t = TRUE;

+			continue;

+		}

+		if ( strcmp(*vec, "-t") == 0 || strcmp(*vec, "-pt") == 0 ){

+			saw_f_or_t = TRUE;

+			continue;

+		}

+

+		/* End of arguments. */

+		if ( strcmp(*vec, "--") == 0 ) break;

+

+		/* Any other argument is not allowed. */

+		if ( *vec[0] == '-' ) return FALSE;

+	}

+

+	/* Either -f or -t must have been given. */

+	return saw_f_or_t;

+}

+

+

 /*

  * check_command_line() - take the command line passed to rssh, and verify

  *			  that the specified command is one the user is

@@ -281,8 +318,11 @@ char *check_command_line( char **cl, ShellOptions_t *opts )

 		return PATH_SFTP_SERVER;

 	if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){

-		/* filter -S option */

-		if ( opt_filter(cl, 'S') ) return NULL;

+		if ( !scp_okay(cl) ){

+			fprintf(stderr, "\ninsecure scp option not allowed.");

+			log_msg("insecure scp option in scp command line");

+			return NULL;

+		}

 		return PATH_SCP;

 	}