Bug 1998

Summary: Arbitrary command execution using SCP
Product: Portable OpenSSH Reporter: Vitja Makarov <vitja.makarov>
Component: scpAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: security CC: djm, dtucker, vitja.makarov
Priority: P2    
Version: 5.8p1   
Hardware: All   
OS: Linux   

Description Vitja Makarov 2012-04-18 07:12:23 AEST 
Hi!

I'm not sure is that a bug or a future. Since SCP doesn't escape filenames it's possible to execute an arbitrary command:

localhost:~$ scp 'mchome:foo;echo 123 > foo' /tmp/foo
scp: foo: No such file or directory
localhost:~$ scp 'mchome:foo;echo 123 > foo' /tmp/foo
foo                                                                                 100%    4     0.0KB/s   00:00    
localhost:~$ cat /tmp/foo
123


I've traced it and it seems to me that scp is executing the following command on remote side:

scp -f -- foo;echo 123 > foo
Comment 1 Darren Tucker 2012-05-19 15:18:43 AEST 
the client side scp can't escape the filenames because it does not know what shell is on the other end or what its quoting rules are (and "fixing" this on the client side doesn't help security anyway).

the command gets run by the remote shell regardless of what the remote scp does (you can delete scp from the remote side entirely and it'll still happen).  If you want to prevent this, you need to enforce it in the remote shell eg with a restricted shell of some type (scponly and rssh are example I'm aware of, but I can't vouch for them).
Comment 2 Damien Miller 2013-01-04 10:50:12 AEDT 
Like Darren said, this is an unfixable limitation of scp. If you need file-transfer that doesn't require shell access then use ForceCommand and sftp
Comment 3 Damien Miller 2015-08-11 23:02:53 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1