CVE-2006-0225
published 2006-01-25CVE-2006-0225: scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
PriorityP426medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EPSS
0.47%
37.4th percentile
scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dropbear | < dropbear 0.48-1 (bookworm) | dropbear 0.48-1 (bookworm) |
| debian | netkit-rsh | — | — |
| debian | openssh | < dropbear 0.48-1 (bookworm) | dropbear 0.48-1 (bookworm) |
| netkit | netkit | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv4.6MEDIUM
vendor_redhat7.5HIGH
vendor_debian4.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-38336: netkit-rsh - netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because ...
vendor_debian·2023·CVSS 4.6
CVE-2023-38336 [MEDIUM] CVE-2023-38336: netkit-rsh - netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because ...
netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because /bin/sh is used by susystem, a related issue to CVE-2006-0225, CVE-2019-7283, and CVE-2020-15778.
Scope: local
bookworm: open
bullseye: open
Red Hat
kernel: use flag in do_coredump()
vendor_redhat·2009-11-12·CVSS 7.5
CVE-2006-6304 [HIGH] kernel: use flag in do_coredump()
kernel: use flag in do_coredump()
The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit d025c9db that introduced the problem.
This upstream commit was backported in Red Hat Enterprise Linux 5 via RHSA-2009:0225. It was later reported and addressed in Red Hat Enterprise Linux 5 via RHSA-2010:0046.
Ubuntu
openssh vulnerability
vendor_ubuntu·2006-02-22
CVE-2006-0225 openssh vulnerability
Title: openssh vulnerability
Summary: openssh vulnerability
Tomas Mraz discovered a shell code injection flaw in scp. When doing
local-to-local or remote-to-remote copying, scp expanded shell escape
characters. By tricking an user into using scp on a specially crafted
file name (which could also be caught by using an innocuous wild card
like '*'), an attacker could exploit this to execute arbitrary shell
commands with the privilege of that user.
Please be aware that scp is not designed to operate securely on
untrusted file names, since it needs to stay compatible with rcp.
Please use sftp for automated systems and potentially untrusted file
names.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2006-0225: dropbear - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filename...
vendor_debian·2006·CVSS 4.6
CVE-2006-0225 [MEDIUM] CVE-2006-0225: dropbear - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filename...
scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
Scope: local
bookworm: resolved (fixed in 0.48-1)
bullseye: resolved (fixed in 0.48-1)
forky: resolved (fixed in 0.48-1)
sid: resolved (fixed in 0.48-1)
trixie: resolved (fixed in 0.48-1)
Red Hat
local to local copy uses shell expansion twice
vendor_redhat·2005-09-28·CVSS 4.6
CVE-2006-0225 [MEDIUM] local to local copy uses shell expansion twice
local to local copy uses shell expansion twice
scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
Statement: Issue was fixed upstream in version 4.3. The openssh packages in Red Hat Enterprise Linux 5 are based on the fixed upstream version and were not affected by this flaw.
GHSA
GHSA-vg2g-72mx-mj33: netkit-rcp in rsh-client 0
ghsa_unreviewed·2023-07-15·CVSS 4.6
CVE-2023-38336 [MEDIUM] CWE-77 GHSA-vg2g-72mx-mj33: netkit-rcp in rsh-client 0
netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because /bin/sh is used by susystem, a related issue to CVE-2006-0225, CVE-2019-7283, and CVE-2020-15778.
OSV
CVE-2023-38336: netkit-rcp in rsh-client 0
osv·2023-07-14·CVSS 4.6
CVE-2023-38336 [MEDIUM] CVE-2023-38336: netkit-rcp in rsh-client 0
netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because /bin/sh is used by susystem, a related issue to CVE-2006-0225, CVE-2019-7283, and CVE-2020-15778.
GHSA
GHSA-fjc8-474c-2xx3: scp in OpenSSH 4
ghsa_unreviewed·2022-05-03
CVE-2006-0225 [MEDIUM] GHSA-fjc8-474c-2xx3: scp in OpenSSH 4
scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
GHSA
GHSA-wm2m-wxgh-453h: rcp on Sun Solaris 8, 9, and 10 before 20070710 does not properly call certain helper applications, which allows local users to gain privileges by cre
ghsa_unreviewed·2022-05-01·CVSS 4.6
CVE-2007-3717 [MEDIUM] GHSA-wm2m-wxgh-453h: rcp on Sun Solaris 8, 9, and 10 before 20070710 does not properly call certain helper applications, which allows local users to gain privileges by cre
rcp on Sun Solaris 8, 9, and 10 before 20070710 does not properly call certain helper applications, which allows local users to gain privileges by creating files with certain names, possibly containing shell metacharacters or spaces, a similar issue to CVE-2006-0225.
OSV
CVE-2006-0225: scp in OpenSSH 4
osv·2006-01-25·CVSS 4.6
CVE-2006-0225 [MEDIUM] CVE-2006-0225: scp in OpenSSH 4
scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
bugzilla·2006-09-30·CVSS 7.5
CVE-2006-4924 [HIGH] CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
CVE-2006-4924 openssh DoS (also CVE-2006-5051) (also for RHL7.3: CVE-2006-0225, CVE-2003-0386)
creating as a clone of bug 207955 (and also bug 207957 which is for fc5) --
create clone doens't seemt o be workign for me for some reason, so copy/pasted
int he description from those bugs.
Tavis Ormandy of the Google Security Team discovered a denial of service attack
on the openssh sshd daemon when ssh protocol version 1 is enabled. This flaw
will cause the openssh server to consume a large quantity of the CPU until the
specified timeout is reached.
The upstream patches can be found here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
h
Bugzilla
CVE-2006-0225 local to local copy uses shell expansion twice
bugzilla·2006-02-01·CVSS 4.6
CVE-2006-0225 [MEDIUM] CVE-2006-0225 local to local copy uses shell expansion twice
CVE-2006-0225 local to local copy uses shell expansion twice
+++ This bug was initially created as a clone of Bug #168167 +++
Description of problem:
scp currently implements local-to-local copy by constructing a command line
using 'cp' in a string and then using system(). Beside the fact the using
system() is really always wrong (only lazy people use it) which has the added
problem that the file name is exposed twice to shell expansion. The file name
could contain characters which need quoting, like $ or spaces. This second
expansion must be avoided.
Version-Release number of selected component (if applicable):
openssh-clients-4.2p1-1.x86_64
How reproducible:
always
Steps to Reproduce:
1.touch foo\ bar
2.mkdir somedir
3.scp foo\ bar somedir
Actual results:
cp: cannot stat `foo': No
Bugzilla
CVE-2006-0225 local to local copy uses shell expansion twice
bugzilla·2005-11-23·CVSS 4.6
CVE-2006-0225 [MEDIUM] CVE-2006-0225 local to local copy uses shell expansion twice
CVE-2006-0225 local to local copy uses shell expansion twice
+++ This bug was initially created as a clone of Bug #168167 +++
Description of problem:
scp currently implements local-to-local copy by constructing a command line
using 'cp' in a string and then using system(). Beside the fact the using
system() is really always wrong (only lazy people use it) which has the added
problem that the file name is exposed twice to shell expansion. The file name
could contain characters which need quoting, like $ or spaces. This second
expansion must be avoided.
Version-Release number of selected component (if applicable):
openssh-clients-4.2p1-1.x86_64
How reproducible:
always
Steps to Reproduce:
1.touch foo\ bar
2.mkdir somedir
3.scp foo\ bar somedir
Actual results:
cp: cannot stat `foo': No
Bugzilla
CVE-2006-0225 local to local copy uses shell expansion twice
bugzilla·2005-10-11·CVSS 4.6
CVE-2006-0225 [MEDIUM] CVE-2006-0225 local to local copy uses shell expansion twice
CVE-2006-0225 local to local copy uses shell expansion twice
+++ This bug was initially created as a clone of Bug #168167 +++
Description of problem:
scp currently implements local-to-local copy by constructing a command line
using 'cp' in a string and then using system(). Beside the fact the using
system() is really always wrong (only lazy people use it) which has the added
problem that the file name is exposed twice to shell expansion. The file name
could contain characters which need quoting, like $ or spaces. This second
expansion must be avoided.
Version-Release number of selected component (if applicable):
openssh-clients-4.2p1-1.x86_64
How reproducible:
always
Steps to Reproduce:
1.touch foo\ bar
2.mkdir somedir
3.scp foo\ bar somedir
Actual results:
cp: cannot stat `foo': No
Bugzilla
CAN-2005-2798, CAN-2004-2069, CVE-2006-0225 OpenSSH vulnerabilities
bugzilla·2005-09-21·CVSS 4.6
CVE-2006-0225 [MEDIUM] CAN-2005-2798, CAN-2004-2069, CVE-2006-0225 OpenSSH vulnerabilities
CAN-2005-2798, CAN-2004-2069, CVE-2006-0225 OpenSSH vulnerabilities
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050729 Netscape/8.0.3.3
Description of problem:
05.36.17 CVE: CAN-2005-2798
Platform: Cross Platform
Title: OpenSSH GSSAPI Credential Disclosure Vulnerability
Description: OpenSSH is reported to be vulnerable to a GSSAPI
credential delegation issue. When a user has GSSAPI authentication
configured and "GSSAPIDelegateCredentials" enabled, their kerberos
credentials will be forwarded to remote hosts. OpenSSH versions prior
to 4.2 are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14729
Version-Release number of selected component (if applicable):
How reproducible:
Didn't try
Additional info:
Discussi
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patchftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.aschttp://blogs.sun.com/security/entry/sun_alert_102961_security_vulnerabilityhttp://docs.info.apple.com/article.html?artnum=305214http://itrc.hp.com/service/cki/docDisplay.do?docId=c00815112http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://secunia.com/advisories/18579http://secunia.com/advisories/18595http://secunia.com/advisories/18650http://secunia.com/advisories/18736http://secunia.com/advisories/18798http://secunia.com/advisories/18850http://secunia.com/advisories/18910http://secunia.com/advisories/18964http://secunia.com/advisories/18969http://secunia.com/advisories/18970http://secunia.com/advisories/19159http://secunia.com/advisories/20723http://secunia.com/advisories/21129http://secunia.com/advisories/21262http://secunia.com/advisories/21492http://secunia.com/advisories/21724http://secunia.com/advisories/22196http://secunia.com/advisories/23241http://secunia.com/advisories/23340http://secunia.com/advisories/23680http://secunia.com/advisories/24479http://secunia.com/advisories/25607http://secunia.com/advisories/25936http://securityreason.com/securityalert/462http://securitytracker.com/id?1015540http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1http://support.avaya.com/elmodocs2/security/ASA-2006-158.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-174.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-262.htmhttp://support.avaya.com/elmodocs2/security/ASA-2007-246.htmhttp://www.gentoo.org/security/en/glsa/glsa-200602-11.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:034http://www.novell.com/linux/security/advisories/2006_08_openssh.htmlhttp://www.openpkg.org/security/OpenPKG-SA-2006.003-openssh.htmlhttp://www.osvdb.org/22692http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00062.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0044.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0298.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0698.htmlhttp://www.securityfocus.com/archive/1/425397/100/0/threadedhttp://www.securityfocus.com/bid/16369http://www.trustix.org/errata/2006/0004http://www.ubuntu.com/usn/usn-255-1http://www.us-cert.gov/cas/techalerts/TA07-072A.htmlhttp://www.vmware.com/support/vi3/doc/esx-3069097-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-9986131-patch.htmlhttp://www.vupen.com/english/advisories/2006/0306http://www.vupen.com/english/advisories/2006/2490http://www.vupen.com/english/advisories/2006/4869http://www.vupen.com/english/advisories/2007/0930http://www.vupen.com/english/advisories/2007/2120http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2751https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026https://exchange.xforce.ibmcloud.com/vulnerabilities/24305https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1138https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9962ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/005_ssh.patchftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.aschttp://blogs.sun.com/security/entry/sun_alert_102961_security_vulnerabilityhttp://docs.info.apple.com/article.html?artnum=305214http://itrc.hp.com/service/cki/docDisplay.do?docId=c00815112http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.htmlhttp://secunia.com/advisories/18579http://secunia.com/advisories/18595http://secunia.com/advisories/18650http://secunia.com/advisories/18736http://secunia.com/advisories/18798http://secunia.com/advisories/18850http://secunia.com/advisories/18910http://secunia.com/advisories/18964http://secunia.com/advisories/18969http://secunia.com/advisories/18970http://secunia.com/advisories/19159http://secunia.com/advisories/20723http://secunia.com/advisories/21129http://secunia.com/advisories/21262http://secunia.com/advisories/21492http://secunia.com/advisories/21724http://secunia.com/advisories/22196http://secunia.com/advisories/23241http://secunia.com/advisories/23340http://secunia.com/advisories/23680http://secunia.com/advisories/24479http://secunia.com/advisories/25607http://secunia.com/advisories/25936http://securityreason.com/securityalert/462http://securitytracker.com/id?1015540http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1http://support.avaya.com/elmodocs2/security/ASA-2006-158.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-174.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-262.htm
+ 28 more references
2006-01-25
Published