Placeholder Image

字幕列表 影片播放

  • Earlier this week. There was a sort of announcement about a bug in a program called SCP

  • SCP stands for secure copy it's a way of copying files between two different machines

  • using SSH as a sort of background

  • transport protocol to make the copy

  • So it's a secure way of copying a file from one remote machine to your local machine or vice versa

  • Personally I use it all the time to copy files from my laptop to the desktop machines particularly from outside the office and so on

  • It's a very easy way to do things from the command line

  • so he talked about SCP the name of a machine and then the file we want to copy so I know it's

  • Stored at this location remember name and so they want Corey to the local machines. I don't give a machine name

  • We're just in this case

  • I'm putting a full stop for the current directory hit return ask me for my password

  • And it starts copying it in this case. It's going over to wireless network. So it's not going that fast, but it's copying it off

  • This machine on here. And so we're copying that file from that machine to here

  • So the books that were sort of disclosed by Harry Sentinel and f-secure

  • Basically allow a malicious server

  • When you ask it to copy a file it allows a malicious server to return

  • Basically any file it likes to your machine. There are some limitations and the client will happily write it into the right thing

  • even if it's not a file it requested so I could say please download our PI to

  • Our PI - image GZ from my machine and the server could say here. Here's dot bash profile

  • and it would copy that into the current directory and if that was the

  • My home directory that would override my dot bash profile

  • Which is a script that gets run every time I log into the machine and so the server would be able to pass it down

  • A file but the next time I logged on would allow the malicious actor who's taking control of the server to sort of

  • Infect my machine with some code that they wanted to run the way the exploit works. The server is able in certain circumstances to

  • Not send down the file that the user

  • requested

  • But to send something else down and put it in a way that and that it gets the client to put it in a place

  • where it could potentially

  • overwrite some files they contain

  • authorized keys that allow you to log into the system or

  • Replace a script that gets run a startup like your batch profile. I mean actually this burg dates back way before

  • SCP existed because it's actually come from an earlier program called RCP, which start was stood for remote

  • Copy did pretty much the same thing, but unlike SCP. It didn't bother encrypting the data as it went over

  • He just did a straight transfer. This was written in 1983. It's part of one of the early berkeley

  • Releases of unix and there's been quite popular until obviously SCP came along in the mid 90s

  • SCP takes the RTP protocol and basically implements it exactly the same but using a secure transport using ssh

  • To transfer the data the interesting thing though

  • Is that both the way that SCP and RCP work is I find a little bit interesting and that when I ran

  • This command on my machine here SCP it connected to the other machine

  • But you might think okay talk to the SSH daemon on there

  • The protis is a server on there and says please send me this file but somebody does

  • if I run that program again and

  • I chose a file that was big enough. It would take a while to do that. I'm gripped to see what SCP is doing

  • So I'm looking all the processes and particularly the ones that are SCP. I

  • Find the program I ran SCP. Jailer the name of the machine to copy the file

  • But there's also this other one on the line above and what's actually happening the way

  • SCP actually work because it makes a standard SSH connection from my laptop to the remote machine or whatever machines are connecting and

  • It runs the SCP program on the remote machines with a specific flag in this case

  • It's minus F and then the name of the file that you want to copy

  • And if we look on this machine just to show the case

  • Then we can see again that that program is running on that machine

  • So the way that SCP works it connects to the remote machine and runs

  • SCP on there

  • with a flag telling it it's being run on the remote machine and if you look in the source code for SCP you can see

  • How it does that it detects that flag in it, then those it's going to send a file back over and what SCP does?

  • Is it sends their over a little header which describes the fire that's going to send and then it just sends the data

  • Over the standard output the UNIX provides which gets routed over the SSH connection back to the copy of SCP

  • You're running on machine, which doesn't writes it out the disk

  • So let's have a look at how that sends things and we can do that

  • Because if we go back to where we're transferring the file and stop it, we can actually ask SSH or SCP in this case

  • They give us more information about what's going on and get it to print out

  • The message isn't is something between thing give us debug information by using the minus V flag. So if we run

  • SCP again with minus V in there

  • Then we get all sorts of information about the key exchanges that are happening

  • It's asking me for my password again, and then eventually we get down here

  • Where it says I'm sending the command that I want to run so it sent the command

  • SCP with the minus three and the minus F flags across that's now running on the other machine

  • We can see it running on there

  • And then it shows us the command that it received from the copy of SCP running on this thing

  • so we got the line of text capital C and

  • then the

  • permission bytes for the file in this case 0 644 in octal and standard UNIX permissions

  • We've got the size of the file in bytes three four one zero seven

  • Nine one one more one in this case a big file and then the file name and then we can see it

  • Transferring the file and occasionally as it's doing that

  • We'll see the keys get updated as it changes encryption keys to make sure that we don't lose anything. The problem is

  • That this line here the ones preceded sync the source code before the SCP client

  • Just takes the filename that's returned and uses that as the file

  • It writes to the disk now just do some simple checks it checks that you're not trying to traverse up the directory structure

  • It checks that you haven't given it an absolute path. But other than that, it just writes that file

  • to do so if you were to write a malicious piece of software and all we need to do is replace the

  • SCP command on the remote machine

  • Don't you do anything more complicated than write a program that?

  • Returns the right values to compromise the system and then replace the SCP binary on that machine

  • We've got root access to that server. That would be relatively easy

  • for us to do

  • so what we need to do is change the value that

  • gets sent back and

  • then this client because he doesn't check that value is a what it asked for or

  • B make sense beyond some very very simple checks. We'll write that new file

  • Into the current directory or if you've asked for a recursive copy copy lots of files in different directories

  • It could write them into other directories or it could even change the permission on the current directory. So it

  • could be used in certain circumstances to

  • Enable people who've got control of the server

  • To push files down onto your client when you use that command

  • I mean some ways this functionality has to be there because we specify our wild-card and you're copying files

  • You don't know what their names are

  • Then the server has to be able to drive the client what files is going to send down?

  • Otherwise you'd have to know what the files are on the server before you could copy them down

  • I think the real core the problem here is it's not doing

  • Perhaps stringent enough checks and that there are certain things that you can send down

  • for example

  • It can send down a line that forces the client to change

  • The permissions of the current directory and it's just not doing quite enough checks

  • It's relatively simple to fix making sure the checks on the returned file make sense. So for example if we request in one file

  • That we get that one file if we were dressed it to copy a directory that the files that come down and inside that directory

  • If we requested a wild-card

  • to select multiple files that actually

  • The file names that it's sending to us matched that one cause it's just a matter of putting a few more stringent checks

  • Into the actual program. Should we be worried too much about this? Well, there are other things we can do

  • For example, we could use SFTP rather than SCP to do that. It has been patched in certain versions of

  • OpenSSH now which will be coming out soon certain variants of it's still there and things like PS CP and

  • winscp on windows

  • it has the potential if we're not careful that you could do something but I

  • Think there's another ways around at the moment and something we can patch the software and get around it

  • But it's interesting because it's sort of the very simple file transfer protocol that was developed for our CP

  • He was just copied straight over

  • in the mid-90s when SSH first came along

  • And he's been left there and these things have been there for the past. Well 30

  • 35 years, I guess almost those six years

  • Lying there in the various different things, but of course, perhaps people haven't tried to exploit them before

  • now I've got the token so I can lay the value in AD the valley from emerged or into it and

  • Store it back and hand the target and now I've got the token again. I can load something into my register

  • The problem is that suppose we want to do like a big Gaussian blur or really large window. This is going to get slow

  • really really quickly

Earlier this week. There was a sort of announcement about a bug in a program called SCP

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

A2 初級

安全拷貝漏洞(SCP) - Computerphile (Secure Copy Vulnerability (SCP) - Computerphile)

  • 4 0
    林宜悉 發佈於 2021 年 01 月 14 日
影片單字