[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] OpenSSH scp command expansion bug - is it local or remote?



On Tue, Feb 14, 2006 at 03:19:58PM +0000, David Corking wrote:
> 1. Thanks for the patch and announcement today : SUSE-SA:2006:008
> 
> 2. There seems to have been a co-ordinated disclosure and release of
> patches for CVE-2006-0225 on January 25.  Why did SuSE (and Debian)
> not participate in that?   Did the other vendors choose not to
> co-ordinate with SuSE (and Debian) ?
> 
> 3. I have now avidly read the majorr reports of CVE-2006-0225, most of
> whom classify it as low priority, and all classify as local.   It
> seems to me, from the reports I read, that it is a local privilege
> escalation that allows an
> authenticated scp user to execute arbitrary shell commands, even if
> they have scp-only privileges.
> 
> I am not in any way a skilled penetration tester - so I have to make a
> judgement based on what I read.  Have I misunderstood the other
> reports, or have the other reports got it right, or have SuSE
> discovered something new that makes it indeed a *remote*
> vulnerability?

I was undecided too when chosing it, and I do not see a direct threat.

It is post authentication.

The only way I understand this is problematic is when you have a scp-only
remote configuration and can then execute programs on the remote machine.

Ciao, Marcus

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here