File Overwrite Vulnerability in OpenSSH Affecting Multiple Platforms
CVE-2019-6111

5.9MEDIUM

Key Information:

Vendor
OpenBSD
Status
Openssh
Winscp
Vendor
CVE Published:
31 January 2019

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability in the scp implementation of OpenSSH 7.9 allows a malicious scp server or a Man-in-the-Middle attacker to overwrite arbitrary files in the target directory of the scp client. Since scp is derived from the older rcp command from 1983, the server controls which files are sent. The client conducts limited validation of filenames, preventing only directory traversal attacks. Consequently, this flaw can be exploited to overwrite critical files, such as .ssh/authorized_keys, particularly during recursive operations.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

SNP
Created by 53n7hu

References

https://www.debian.org/security/2019/dsa-4387
vendor-advisory
https://security.netapp.com/advisory/ntap-20190213-0001/
http://www.securityfocus.com/bid/106741
vdb-entry

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.