4.6 - SUN-102961

Executive Summary

Summary
Title	Sun Alert 102961 Security Vulnerability in scp(1) May Allow Execution of Unintended Commands

Informations
Name	SUN-102961	First vendor Publication	2007-06-27
Vendor	Sun	Last vendor Modification	2007-06-27
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	4.6	Attack Range	Local
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	3.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 9 Operating System, Solaris 10 Operating System

Due to a security vulnerability in the way the scp(1) command executes helper applications, certain additional unintended commands may be executed at the same time. This may allow a local unprivileged user (or a remote user in the case of shared filesystems) who is able to create files on the system, to execute arbitrary commands with the privileges of a local user, if those files are acted upon by the local user using the scp(1) command.

This issue is also referenced in the following document:

CVE-2006-0225 at http://www.security-database.com/detail.php?cve=CVE-2006-0225

Avoidance: Patch, Workaround

State: Resolved

First released: 08-Jun-2007

Sun Alert Link:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_102961_security_vulnerability

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:1138

Oval ID:	oval:org.mitre.oval:def:1138
Title:	Security Vulnerability Relating to scp(1) Command May Allow Attackers to Execute Arbitrary Commands
Description:	scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2006-0225	Version:	3
Platform(s):	Sun Solaris 9 Sun Solaris 10	Product(s):
Definition Synopsis:
Solaris 9 (SPARC) Solaris 9 (SPARC) is installed AND NOT Patch 114356-12 or later installed OR Solaris 9 (x86) Solaris 9 (x86) is installed AND NOT Patch 114357-11 or later installed OR Solaris 10 (SPARC) Solaris 10 (SPARC) is installed AND NOT Patch 123324-03 or later installed OR Solaris 10 (x86) Solaris 10 (x86) is installed AND NOT Patch 123325-03 or later installed

Definition Id: oval:org.mitre.oval:def:9962

Oval ID:	oval:org.mitre.oval:def:9962
Title:	scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
Description:	scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2006-0225	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section openssh is earlier than 0:3.6.1p2-33.30.9 AND openssh-askpass is earlier than 0:3.6.1p2-33.30.9 AND openssh-server is earlier than 0:3.6.1p2-33.30.9 AND openssh-clients is earlier than 0:3.6.1p2-33.30.9 AND openssh-askpass-gnome is earlier than 0:3.6.1p2-33.30.9 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section openssh is earlier than 0:3.9p1-8.RHEL4.12 AND openssh-askpass is earlier than 0:3.9p1-8.RHEL4.12 AND openssh-server is earlier than 0:3.9p1-8.RHEL4.12 AND openssh-clients is earlier than 0:3.9p1-8.RHEL4.12 AND openssh-askpass-gnome is earlier than 0:3.9p1-8.RHEL4.12

CPE : Common Platform Enumeration

Type	Description	Count
Application	Openbsd Openssh cpe:2.3:a:openbsd:openssh:4.7:p1:::::: cpe:2.3:a:openbsd:openssh:4.4:p1:::::: cpe:2.3:a:openbsd:openssh:4.3:p2:::::: cpe:2.3:a:openbsd:openssh:4.3:p1:::::: cpe:2.3:a:openbsd:openssh:4.2:p1:::::: cpe:2.3:a:openbsd:openssh:4.1:p1:::::: cpe:2.3:a:openbsd:openssh:4.0:p1:::::: cpe:2.3:a:openbsd:openssh:3.9.1:::::::* cpe:2.3:a:openbsd:openssh:3.9:-:::::: cpe:2.3:a:openbsd:openssh:3.8.1:-:::::: cpe:2.3:a:openbsd:openssh:3.8:-:::::: cpe:2.3:a:openbsd:openssh:3.7.1:-:::::: cpe:2.3:a:openbsd:openssh:3.7:::::::* cpe:2.3:a:openbsd:openssh:3.6.1:-:::::: cpe:2.3:a:openbsd:openssh:3.6.1:p1:::::: cpe:2.3:a:openbsd:openssh:3.6:-:::::: cpe:2.3:a:openbsd:openssh:3.5:-:::::: cpe:2.3:a:openbsd:openssh:3.5:p1:::::: cpe:2.3:a:openbsd:openssh:3.4:-:::::: cpe:2.3:a:openbsd:openssh:3.4:p1:::::: cpe:2.3:a:openbsd:openssh:3.3:p1:::::: cpe:2.3:a:openbsd:openssh:3.3:-:::::: cpe:2.3:a:openbsd:openssh:3.2.3:p1:::::: cpe:2.3:a:openbsd:openssh:3.2.2:p1:::::: cpe:2.3:a:openbsd:openssh:3.2:::::::* cpe:2.3:a:openbsd:openssh:3.1:p1:::::: cpe:2.3:a:openbsd:openssh:3.1:-:::::: cpe:2.3:a:openbsd:openssh:3.0.2:p1:::::: cpe:2.3:a:openbsd:openssh:3.0.2:-:::::: cpe:2.3:a:openbsd:openssh:3.0.1:p1:::::: cpe:2.3:a:openbsd:openssh:3.0.1:-:::::: cpe:2.3:a:openbsd:openssh:3.0:-:::::: cpe:2.3:a:openbsd:openssh:2.9.9:p2::::::	33

OpenVAS Exploits

Date	Description
2010-02-03	Name : Solaris Update for Kernel 122300-48 File : nvt/gb_solaris_122300_48.nasl
2010-02-03	Name : Solaris Update for Kernel 122301-48 File : nvt/gb_solaris_122301_48.nasl
2009-11-17	Name : Mac OS X Version File : nvt/macosx_version.nasl
2009-10-13	Name : Solaris Update for /usr/bin/ssh 114356-19 File : nvt/gb_solaris_114356_19.nasl
2009-10-13	Name : Solaris Update for /usr/bin/ssh 114357-18 File : nvt/gb_solaris_114357_18.nasl
2009-10-10	Name : SLES9: Security update for OpenSSH File : nvt/sles9p5021162.nasl
2009-06-03	Name : Solaris Update for /usr/bin/ssh 114356-18 File : nvt/gb_solaris_114356_18.nasl
2009-06-03	Name : Solaris Update for /usr/bin/ssh 114357-17 File : nvt/gb_solaris_114357_17.nasl
2009-06-03	Name : Solaris Update for kernel 120011-14 File : nvt/gb_solaris_120011_14.nasl
2009-06-03	Name : Solaris Update for kernel 120012-14 File : nvt/gb_solaris_120012_14.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200602-11 (OpenSSH) File : nvt/glsa_200602_11.nasl
0000-00-00	Name : Slackware Advisory SSA:2006-045-06 openssh File : nvt/esoft_slk_ssa_2006_045_06.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
22692	OpenSSH scp Command Line Filename Processing Command Injection OpenSSH contains a flaw that may allow an attacker to execute arbitrary commands. The flaw is due to the way OpenSSH's scp utility handles file names during local-to-local copies. During the file name expansion, the utility does not properly sanitize filenames allowing a crafted file name with shell meta-characters. This can be used to trick a user into executing arbitrary commands under with a different set of (potentially higher) privileges.

Description

22692

OpenSSH scp Command Line Filename Processing Command Injection

OpenSSH contains a flaw that may allow an attacker to execute arbitrary commands. The flaw is due to the way OpenSSH's scp utility handles file names during local-to-local copies. During the file name expansion, the utility does not properly sanitize filenames allowing a crafted file name with shell meta-characters. This can be used to trick a user into executing arbitrary commands under with a different set of (potentially higher) privileges.

Information Assurance Vulnerability Management (IAVM)

Date	Description
2012-08-16	IAVM : 2012-A-0136 - Multiple Vulnerabilities in Juniper Network Management Products Severity : Category I - VMSKEY : V0033662

Nessus® Vulnerability Scanner

Date	Description
2013-09-13	Name : The remote host is affected by multiple vulnerabilities. File : juniper_nsm_2012_1.nasl - Type : ACT_GATHER_INFO
2011-10-04	Name : The version of SSH running on the remote host has a command injection vulnera... File : openssh_43.nasl - Type : ACT_GATHER_INFO
2011-08-29	Name : The SSH service running on the remote host has an information disclosure vuln... File : sunssh_plaintext_recovery.nasl - Type : ACT_GATHER_INFO
2007-03-13	Name : The remote host is missing a Mac OS X update which fixes a security issue. File : macosx_10_4_9.nasl - Type : ACT_GATHER_INFO
2006-09-29	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0698.nasl - Type : ACT_GATHER_INFO
2006-08-04	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2006-0298.nasl - Type : ACT_GATHER_INFO
2006-07-21	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0298.nasl - Type : ACT_GATHER_INFO
2006-07-05	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2006-0044.nasl - Type : ACT_GATHER_INFO
2006-03-13	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-255-1.nasl - Type : ACT_GATHER_INFO
2006-03-08	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0044.nasl - Type : ACT_GATHER_INFO
2006-02-21	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200602-11.nasl - Type : ACT_GATHER_INFO
2006-02-15	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2006-045-06.nasl - Type : ACT_GATHER_INFO
2006-02-15	Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2006_008.nasl - Type : ACT_GATHER_INFO
2006-02-10	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-034.nasl - Type : ACT_GATHER_INFO
2006-01-24	Name : The remote Fedora Core host is missing a security update. File : fedora_2006-056.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2016-04-26 18:14:32	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	2
CPE ID(s)	33
osvdb(s)	1
Openvas Exploit(s)	12
IAVM(s)	1
Nessus® Exploit(s)	15

	Related
6.9	SUN-102978
4.6	CVE-2006-0225
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)

4.6 - SUN-102961

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Information Assurance Vulnerability Management (IAVM)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU