Vigil@nce - OpenSSH: interpretation of ANSI codes via scp
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious file name, and invite the
victim to download it with scp of OpenSSH, in order to alter the
display of his terminal.
Impacted products: Fedora, OpenSSH.
Severity: 1/4.
Creation date: 31/07/2015.
DESCRIPTION OF THE VULNERABILITY
ANSI codes are normalized codes used to alter terminal
characteristics. For example:
Esc[line;columnH : go to the position line,column
Esc[numberA : go up of number lines
Esc[33m : write in yellow
etc.
When the scp tool of OpenSSH copies a file, it displays a progress
bar. However, the start_progress_meter() function does not filter
the name of the remote file. ANSI codes contained in this filename
are thus interpreted by victim’s terminal.
An attacker can therefore create a malicious file name, and invite
the victim to download it with scp of OpenSSH, in order to alter
the display of his terminal.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSH-interpretation-of-ANSI-codes-via-scp-17543