Command Injection Vulnerability in OpenSSH's SCP Function
CVE-2020-15778

7.8HIGH

Key Information:

Vendor: OpenBSD
Status: Openssh
Vendor: CVE Published:; 24 July 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability in OpenSSH's SCP functionality allows attackers to perform command injection through the handling of destination arguments. Specifically, the issue arises in the scp.c toremote function, where the use of backtick characters in the destination string can lead to arbitrary command execution. The vendor has acknowledged that they intentionally omit validation of 'anomalous argument transfers' to maintain existing workflows, potentially exposing users to unwanted risks. This situation highlights a significant security concern, emphasizing the need for thorough validation in command handling within network services.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-15778
Created by cpandya2909

CVE-2020-15778-Exploit
Created by Neko-chanQwQ

CVE-2020-15778
Created by Evan-Zhangyf

References

https://www.openssh.com/security.html

https://github.com/cpandya2909/CVE-2020-15778/

https://security.netapp.com/advisory/ntap-20200731-0007/

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 27, 2023
👾
Exploit known to exist
Sep 27, 2023
Vulnerability published
Jul 24, 2020
Vulnerability Reserved
Jul 15, 2020