HomeОбразованиеRelated VideosMore From: Computerphile

Secure Copy Vulnerability (SCP) - Computerphile

2742 ratings | 87328 views
Secure Copy is flawed, and the flaw goes back over 30 years. Dr Steve Bagley explains just how 'secure' it is. https://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: https://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Html code for embedding videos on your blog
Text Comments (271)
Insecure Copy.
Sebastian Ramadan (3 months ago)
Ah, haha, input validation error... nice.
SCP Intelligence Agency (3 months ago)
[Accessing to SCP-079] [Loading...] [Access Denied]
Emmett Turner (3 months ago)
Couldn’t help but notice that you called the period “full stop” ever since I learned that you guys think of a menstral cycle when a North American says “period.” :)
chroma (3 months ago)
I sort of consider it a lost cause once an infiltrator has attained superuser access to a peer host anyway as they could also just alter the content of the sensitive file(s) you intend to retrieve and achieve the same result.
Matthew Johnson (3 months ago)
how often do you ssh to a remote server that isnt yours and start coping files? not much for me...
Format Lux (3 months ago)
“You cannot save people, you can just love them.”
hmmm (3 months ago)
Magic-wormhole anyone?
Tomas Brod (3 months ago)
Poor design.
Joshua (3 months ago)
Wow, that does not sound too complicated. Maybe just make an alias on the server for scp to make it transfer something else.
Anthony Lewis (3 months ago)
Pro tip: don't connect to servers that might be compromised.
SCP 106 (3 months ago)
I’m offended
konevskyy (3 months ago)
How to make HQ dorks ??
wkg (3 months ago)
well its just cp if its not secure then
David Somers-Harris (3 months ago)
I don't think I've ever pulled files using scp. I always push, because I often need to access the remote server first to check the file path and names anyways.
hytlerson (3 months ago)
20MB/s not that fast...WTF
Patrick McDermott (4 months ago)
This is one of my favorite Computerphile teachers
Ice Karma (4 months ago)
I think this might be one of the most technical Computerphile videos, oddly enough.
ZipplyZane (4 months ago)
If it can't go up the directory structure, then just always download files into their own directory, then move the result out of the directory to your desired location, and then wipe the directory. Just to be sure.
leathernluv (4 months ago)
To sum up: When writing client code, treat it like server code. If the server should never trust the client, the client should never trust the server! Man, does all this make me *almost* miss null modem connections before the internet. Look up *self extracting bash scripts*.
Juan Diego Calle (4 months ago)
does rsync over ssh has the same problem?
Robert de Bath (4 months ago)
zwz • zdenek (4 months ago)
It's surely bad that it can write self-launching files, but you should always make a judgement whether you trust a server you download from or not. It's not much worse than any kind of malicious server. It could just send you droppers and the effect would be the same. I don't see them patching away the executable bit since that would break the faithfulness of the copying process.
y2ksw1 (4 months ago)
I never used scp ... though I find it very funny, that this kind of bug is there for so long, and my question now is, how many more standard commands are affected?
C.P. G. (4 months ago)
Justin O'Brien (4 months ago)
This sounds zackly like the GNU-Emacs cuckoo egg "feature".
Fopenplop (4 months ago)
anyone else think Steve Bagley is a snack and a half?
Warp Zone (4 months ago)
Item #: SCP-25519 Object Class: Euclid Special Containment Procedures: Instances of SCP-25519 are stored in an un-powered state within a high-value materials locker at Site-15. A cover story of a security vulnerability in the Secure Copy Protocol has been disseminated to explain away the anomalous behavior and encourage the replacement of the protocol. Mobile Task Force Mu-4 ("Debuggers") is tasked with the recovery or destruction of all remaining instances. Description: SCP-25519-1 is a Macbook Pro formerly owned by Dr. █████ ██████. When a valid Secure Copy request is sent from this device to another terminal, all computers with the same IP address as the target terminal, everywhere in the world, attempt to execute this request simultaneously, regardless of their physical location or network configuration. Up to ██ additional instances of SCP-25519 are believed to be currently operational, based on the current rate of anomalous file transfers. It is speculated that creating a new instance of SCP-25519 requires significant, but not insurmountable resources, based on the current rate of increase in anomalous activity worldwide. By order of the O-5 council, Foundation usage of SCP-25519 to eliminate other instances is considered a last resort to prevent a BK-Class Public-Awareness scenario, should the rate of anomalous requests exceed █% prior to the widespread replacement of the Secure Copy Protocol.
Michael Lin (4 months ago)
They just HAD to name it `scp`.
tony tromp (4 months ago)
So.. would alias work as well? If you know the full command, could you alias it to downlod something else?
DusteDs Stuff (4 months ago)
* a file that is run every time I open up a bash shell (which is presumably all the time)
Jari Komppa (4 months ago)
"Niska" means "neck" in finnish.
Sinan Akkoyun (4 months ago)
Is it patched?
ViralTaco (4 months ago)
I just use sftp… Didn't ever really pay attention to scp
thrillscience (4 months ago)
why are you using passwords instead of a keypair?
Robert de Bath (4 months ago)
He's using a passworded key file (check the ssh log) though I would expect him to be using an agent too.
Alexander McColl (4 months ago)
So the solution is a hash check on the files or if the overhead on that is too much a 'which scp' check on the server?
John Francis Doe (4 months ago)
Alexander McColl It's not about file _content_ it's about the _filename_ !
LimeGreenTeknii (4 months ago)
So you're saying there's been an SCP containment breach.
why tho? (4 months ago)
Roshin Varghese (4 months ago)
I wish he demonstrated the flaw by sending back a different file to the client
asailijhijr (4 months ago)
Another long-term security hole that we can assume the NSA knew about but didn't tell us.
Ian Maddox (4 months ago)
So you ask for one thing and get something completely different? If that's a vulnerability, I've been pwned by pretty much every Burger King drive through.
John Francis Doe (4 months ago)
Ian Maddox You ask for a burger in your hand but get a live handgrenade thrown into the back seat, because somehow the bullet proof glass between front and back seat automatically opens up whenever you stick your head out the front window, just in case you were ordering extra burgers.
haploide allel (4 months ago)
Hello @Computerphile, i would like to make a request about subtitling. There seems to be no CC/subs at all on your videos. I wonder if that is by choice, or that it might have never occurred to you that it is not activated... Would you mind considering activating the CC/subs on your videos, even if that means 'crappy' autoCC? Because even with the quality lacking autoCC'ing, it would still help us viewers understanding your content even better. Also, it might help you reach an audience that really relies on CC/subs (the hard of hearing and all); but also the part of your audience that might not be fluent in english (Dutchie myself here)... Thank you for all the trouble and effort you put into making these great informative videos; hopefully, i don't come across as 'entitled'. If so, i blame the language barrier ;)
Tamzagha4ever (4 months ago)
SCP stands for the SCP Foundation, wth is wrong with this channel
QuantumOverider (4 months ago)
Meh gota break ssh to get in first, before sending bad commands. Linux premission has loop hole too, no one worries about it.
David Wührer (4 months ago)
No, it doesn't matter how you get in. Could be as simple as physical access while the admin is distracted. Once you are in, this is a way with which you can get into other machines automatically. And what loop hole are you talking about? The second most widely used operating system in the world after MINIX has a lot of people who are paid to take any even potential vulnerability very seriously.
otiagomarques (4 months ago)
just use iCloud, man
otiagomarques (4 months ago)
+David Wührer *AirDrop
David Wührer (4 months ago)
There is no cloud. There is only other people's machines.
Reckless Roges (4 months ago)
and that's why we use rsync
Paul Campbell (4 months ago)
Surely one would consider making the .bash* files read only? As those files exist, unless I'm mistaken attempting to overwrite them would be governed by the existing files perms? Alternatives are to harden bash so that it will only execute a .bash_profile with user read and execute perms and prevent SCP from setting file modes on downloads to +x
John Francis Doe (4 months ago)
Paul Campbell Making the profile scripts executable is not standard. And they are not required to exist, so a remote server could silently drop one you don't already have.
Paul Campbell (4 months ago)
Hard to solve for instances like: scp -r [email protected]:/some/directory/ someLocalDir/ You haven't asked for any particular file so you can't validate what you receive. You mention "that the files sent match the wildcard". This is obviously impossible if the sshd binary has been compromised it will just send the directory listing to include it's active payload file.
John Francis Doe (4 months ago)
Paul Campbell The client /usr/bin/ssh must never trust the remote /usr/sbin/sshd to obey the protocol (except to the detriment of said remote itself). If you don't request X11 forwarding, no X11 should be forwarded. If you request forwarding local port 11111 to remote port 22222, nothing should happen to local port 33333. Ditto with the scp plugin to ssh.
David Wührer (4 months ago)
If your wildcard is an asterisk. It might be something else.
b1g bo1 (4 months ago)
Joshua Nelson (4 months ago)
Simple Programming Codes (3 months ago)
My scp doesn't have a version because it's a part of openssh... And its version is 7.9p1-1.
Staś (4 months ago)
You'd have to have SIP feature disabled to replace /usr/bin/scp, so not that easy on osx
John Francis Doe (4 months ago)
Staś Never mind OS/X. This is across all brands of server with all kinds of changes on them.
AlagaiKa (4 months ago)
I am somehow baffled by the comments here. 1) Just because the exploit needs to first get access to one system in order to then be able to affect others, this does not make it harmless. That's how most malware acts and it can be a serious vector of attack. 2) The step from being able to serve malicious file content to being able to save the file content in a location that the user did not intend is not trivial. If i copy a file from an untrusted source I know not to blindly execute it or open it with some complex program that might have a vulnerability that is triggered by malicious content. I do, however, expect that I should be able to receive a file from a remote system, open it with a simple text editor on my machine that I trust, and delete it afterwards - without being exposed to a security risk, no matter how malicious the server is.
Secure Contain Protect
subliminalvibes (4 months ago)
You down with SCP? YEAH, YOU KNOW ME!
Robert de Bath (4 months ago)
Hey Steve, why aren't you using ssh-agent?
Aleks D (4 months ago)
SCP does have a security flaw. You don't want to be trapped with SCP-173
Sourav Goswami (4 months ago)
I didn't understand. It seems so obvious. It's a feature. Say you want to download a PDF (from Linux server) and you got a virus PDF (on windows). Almost the same thing! If you modify rpi.img file and patched it with keyloggers, yeah, you download that! Isn't it obvious? I have a .bashrc file with a big PS1 variable, and I like that, and I need my aliases on other machine. I copy .bashrc file to another machine. And I need to do that, and SCP should allow me to do that. If you make mistake, you made mistake. If you remove / with rm, you don't say it's a rm bug, you are solely that bug who can do whatever. So I think it's a SCP feature. Where's the bug then?
David Wührer (4 months ago)
The bug is that the server can send you a file you didn't ask for. Not just a different content, a different file name as well.
Robert de Bath (4 months ago)
Seriously! This is considered a bug! It's how the thing is documented to work. (Though I'll admit there's been some dumbing down of more recent manual pages) The documentation still implies that the SCP command is run on the machine that the files are coming from and that sends the files to the destination. There's even an option on recent scp (the "-3") to proxy through the current machine for when "remote1" cannot connect to "remote2" but "localhost" can. EDIT: ... You can invoke this so called bug by adding scp() { exec /usr/bin/scp "[email protected]" /etc/passwd; } rsync() { exec /usr/bin/rsync "[email protected]" /etc/passwd; } to the top of your .bashrc, yes rsync has it too. PEBKAC error IMO. Oh well, I suppose PEBKAC workarounds are the vast majority of a programmer's work.
Robert de Bath (4 months ago)
​+John Francis Doe Actually, I just tried this with "rsync 'raspian1:hello world.txt' ." it gave me the "hello" file. So rsync has this so called bug too. EDIT: ... You can invoke this _so called bug_ by adding scp() { exec /usr/bin/scp "[email protected]" /etc/passwd; } rsync() { exec /usr/bin/rsync "[email protected]" /etc/passwd; } to the top of your .bashrc
Robert de Bath (4 months ago)
+John Francis Doe Actually, that is exactly the relevance. With *Z*modem you run a command on the shell, just like scp and that command sends the filenames back to your terminal emulator using it's autostart sequence. Like I said in the other message, the OpenSSL documentation glosses over the fact.
John Francis Doe (4 months ago)
Robert de Bath Once again. Thar SCP is run as a subprocess on the remote is as irrelevant as XMODEM being run on the remote. It's about the remote unexpectedly controlling the local file name!
Will Ferrous (4 months ago)
Guys, I have a joke. The ethics committee.
Whomping Walrus (4 months ago)
Fortunately most SCP usage in the wild isn't with an untrusted server.
David Wührer (3 months ago)
How would you know if a server you trust has been compromised?
Whomping Walrus (4 months ago)
+David Wührer The opposite.
David Wührer (4 months ago)
You trust compromised servers?
jamcdonald120 (4 months ago)
wouldnt this work fine even if scp was fine? The server provides everything, length, check sum, and bits, we have no way to verify the server didnt hand wave the file? is the exploit that it can change the name of the downloaded file?
jamcdonald120 (4 months ago)
I see, that makes sense
David Wührer (4 months ago)
Yes. You don't have control over the file content, but at least you should have control over where the file is put.
jamcdonald120 (4 months ago)
+David Wührer ah i see, where as a bad server could just serve a bad file, but with the requested name?
David Wührer (4 months ago)
No, the vulnerability is that it can serve you any file with any name that you didn't ask for.
RunItsTheCat (4 months ago)
Dee boiz got the omni key
LMacNeill (4 months ago)
Unix was written by a couple of guys who were on an internal company network -- AT&T in particular. They never imagined it would not only be installed on many networks AT&T didn't own, but that it would quite literally become the backbone of the Internet! They simply did not imagine the security issues that we continually run into -- even 40 years later! It's so fascinating to see how these things crop up - and makes me wonder what will be next! ;-) Excellent video, as usual, Computerphile.
David Wührer (3 months ago)
@RonJohn63 This particular problem has nothing to do with C. And I would argue that they are part of UNIX, even though they are not part of the POSIX specification nor necessary for a Unix certification.
realcygnus (3 months ago)
yup its amazing how clever those dudes were. It was built from the ground up, for need(pure purpose), not on a budget, with time constraints or superficial bells & whistles to appease a marketing team etc. All of the practical considerations they made for multi-user/multi-tasking/portability/scalability/reliability etc. & so very long ago, most anything else was(still is) a mere toy by comparison imo.
RonJohn63 (4 months ago)
scp and ssh are not part of Unix. (However, the C language is at the root of all these problems. You wouldn't see them if stricter languages were used.)
William Dye (4 months ago)
If you use SCP a lot, consider pronouncing it as "skip". syllable_count+=-2
John Redberg (4 months ago)
Ugghh, I just watched a tutorial where the guy pronounced commands ending in "ctl" as "kettle" and "ifconfig" as "if-config" (like the conditional conjunction). Just terrible. It shouldn't take a peach from uklah to know the diff btw an abbrev and an ACRON.
William Dye (4 months ago)
Yep; except in Bash, which is where I'm usually using scp.
BuckieTheCat (4 months ago)
Or syllable_count-=2 Just saved an entire character
David Wührer (4 months ago)
I never pronounce it. I type it in.
MrMalchore (4 months ago)
What if you change permissions of your bash_profile or bashrc to be not writable? Once they're set up proper you don't often make changes so it's not unreasonable to force yourself to manually change the permissions to+WRITE if you really want to make a change.
Angelo Pengue (4 months ago)
It is naive to believe that only those files can be changed.
Baby Bop (4 months ago)
MrMalchore that only protects those files though
pranav kumar (4 months ago)
Can you give an example of software and explain that will replace the scp at remote server, please
Robert de Bath (4 months ago)
Use SFTP. It's designed for untrusted services.
Did he say SEC or SCP? 🤔 I actually clicked thinking he was talking about STD.
sesc79 (3 months ago)
Standard deviation?
Marco D'Agostini (4 months ago)
Is Rsync safe? or does it use scp on the background?
Robert de Bath (4 months ago)
Rsync does NOT use scp, it uses ssh (or some other remote execution command with a similar interface or just a socket). It is _probably_ safe to use with untrusted hosts as the documentation specifically excludes the case where both source and destination are remote. This implies it works more like sftp rather than scp where "scp remote1:file.gz remote2:dirname" is EXACTLY THE SAME as "ssh remote1 scp file.gz remote2:dirname"
Chetar Ruby (4 months ago)
I would say this is a mostly useless exploit, as it does require you compromise at least one machine in some other way first. But fascinating none the less and I'm always happy to see disclosure of known flaws that could be potential exploits.
Reth Tard (4 months ago)
You shouldn't underestimate the real hackers about what they can achieve using these "useless exploits".
Jonas D. Atlas (4 months ago)
I assume the reason it believes that filename is because of "scp -r" in which case it needs to believe the server. You would probably notice, though - scp prints out the name of every file you copy, after all. Also, if a server you're connecting to and copying files from is compromised or actively trying to attack you (mind you, this probably requires root to access /usr/bin on the server) you've probably got worse problems than this.
Jonas D. Atlas (4 months ago)
+John Francis Doe That's... not pretty. I took the time to actually read through the paper a minute ago and have to agree that's a bit worse than it seems just from this video - they only talked about CVE-2019-6111, not the other three, presumably because the others would take longer to explain. Ability to change the directory permissions could get a bit ugly depending on the directory you're running scp in, and I agree that the fact that scp doesn't filter control codes at all makes it easy to hide what you're doing. Still, most people probably won't scp from a compromised or untrusted system - although I could think of some scenarios in which you might, but it's probably not going to happen that often.
John Francis Doe (4 months ago)
Jonas D. Atlas Two of the 4 vulnerabilities in that paper attacks the printing of file names. Another attacks something that isn't even printed (permissions on the target directory).
Tytan64 (4 months ago)
Do you think it's bad practise to "cat /path/to/file | ssh [email protected] "cat > path to file"" or "ssh [email protected] "cat /path/to/file" | cat > /path/to/file" to transmit files from or to other machines?
Tytan64 (4 months ago)
+David Wührer thanks for sharing your thoughts and experience :)
Tytan64 (4 months ago)
+Robert de Bath thanks for sharing your thoughts and experience :)
David Wührer (4 months ago)
I think it is bad practice to enter that every time, rather than wrapping it in an executable script in your PATH.
Robert de Bath (4 months ago)
That's fine, as is sftp for an untrusted server. The "problem" with SCP is in it's manual (so this is a PEBKAC), the SCP command is sent to the file source host and that host sends the file.
KÆSHΔV DΔNΞSH (4 months ago)
The foundation wants to know your location.
Noah Whelpley (4 months ago)
SCP-079 boutta breach containment with this bug
xXD1GxDUGXx (4 months ago)
There's a containment breach in your computer.
Martin Mehawk (4 months ago)
Secure. Contain. Protect.
Philipp Blum (4 months ago)
So, you have to attack the other system to attack another system. I see this very unlikely to happen. If you are able to execute command on the other machine, you will already have enough other problems. But of course: should be fixed. How about rsync?
David Wührer (4 months ago)
It is not unlikely to happen at all. If you want to infect a lot of systems, you have to start with one.
chaoslab (4 months ago)
But... But... I thought SCP stood for Secure Contain Protect! /joke
dasten123 (4 months ago)
You know it's secure if it has an "s" in the name
Ilja Sara (4 months ago)
Gregery Barton (4 months ago)
They should stop putting 'secure' in the name of software.
David Wührer (4 months ago)
scp is a secure replacement for rcp. Nobody uses rcp anymore. What name would you suggest for a more secure copy program that is intended to replace the blatantly insecure remote copy program named rcp?
Niko L (4 months ago)
dash. it's called a dash.
Jakob Lindskog (4 months ago)
cat /etc/exploits | sort -R | head -n 1 | computerphile --steve keep em exploits vids coming boii don't break the pipe
Jakob Lindskog (4 months ago)
+John Redberg no, Steve would be sad
John Redberg (4 months ago)
... > /dev/null
Darthane (4 months ago)
Interesting video. Thanks for the heads up about this particular one. I use WinSCP on a daily basis, but of course in this instance I trust the machine I'm connecting to not to have malicious code on it.
Kerns Noel (4 months ago)
Umm Honestly.. the problem I have is that the control of 'what the user receives & is able to see' aren't exactly one in the same. I would rather not allow the program the ability to deliver whatever file it wanted under what data it wants.. seems flawed logic from a security standpoint, if all you have to do is alter the scp/rcp program to deliver a modified crc & file instead.. so that every file could literally have code executed from a program or trackers installed... even from a clean storage source.
Kerns Noel (4 months ago)
+David Wührer Never said it executed code. but unless you've a way to verify the file.. it'd likely get executed anyways (given how few anti-virials there are for Linux based systems) the fundamental problem isn't the 'state' of the server (as quite honestly a smart hacker a devious hacker isn't going to give away the ground zero of the infection/malware... they'll cloak it if possible) and say it's a file server of some kind for a school, or another kind of organization... The issue is that the 'host of the entire problem' the compermised server will never show any problems, and even if the files are examined, and unless the scp/rcp code & files are strictly examined, the infections & issues will continue.
David Wührer (4 months ago)
Why do you mean? To alter the scp you already need root. And of course it can deliver whatever it wants. That is what it is there for. It doesn't execute code on the client machine. But it can overwrite a file that will be executed by some other process. That may be the user's intention.
David Chipman (4 months ago)
I love these detailed security bug videos Dr. Bagley does! Don't want to ask for more though.
Flare03l (4 months ago)
I always use rsync nowadays
TheGrimElite Gamer (4 months ago)
Remember, don't blin- *C R O N C H*
mistercohaagen (4 months ago)
Jaylah ; ) You lovely dork, you.
Zaphod Breeblebrox (4 months ago)
Sounds like bad things could be put in the | pipe perhaps too, in regards to the command run on the remote machine.
Robert de Bath (4 months ago)
Exactly. "scp remote1:file.gz remote2:dirname" is EXACTLY THE SAME as "ssh remote1 scp file.gz remote2:dirname"
Web Dog (4 months ago)
Yeah but this applies to everything else on a malicious server too. How do you know a mail server isn’t injecting malicious code that exploits a 0-day on your email client?
Sebastian Ramadan (3 months ago)
This is called minimalisation. If this bug were in your web browser, your browser might think it's downloading and storing a .gif or .jpg file into a temporary folder where instead it is downloading a boot.ini into your windows directory... how does that sound? Right, the browser needs to properly sanitise and validate everything that the server responds with... just like all other client software.
Kraio (4 months ago)
You know what that emoji (your profile picture) means, right?
John Francis Doe (4 months ago)
Web Dog BINGO, and this is a 0-day in the SCP client, and the idiots in this video are publishing before the fix is available, which is almost universally recognized as highly irresponsible.
Robert de Bath (4 months ago)
+Z3U5 Nope, not checksums. Signed checksums maybe, but that leads you to certificates and CAs and eventually "reflections on trusting trust".
oskado95 (4 months ago)
I just know Dr. Bright is somehow responsible for this
Nodymus (4 months ago)
And as we know chainsaw is the only solution
Maverick3334 (4 months ago)
I think its Dr.Maynard
Phy (4 months ago)
I'd ask the owner of the server to come with me to a certain Ikea store for some furniture...
TYKUHN2 (4 months ago)
This vulnerability doesn't seem particularly bad. Poorly designed? Sure. but it does rely on breaching the server and being able to write to /usr/bin with the breach.
Sebastian Ramadan (3 months ago)
To put this into perspective, before MS-Blaster many people were of the opinion that a virus could not automatically execute when attached to an email... now we can observe this in behaviour nowadays, many people think they are safe on the web if they simply avoid the "shadier" parts of the web... or if we use some particular OS instead of another... or maybe we prefer some particular browser... it's the same flaw, in our human brains, causing us to have some blinding false sense of confidence. The false confidence is ultimately the problem we need to overcome as society, so that we can see the things that the confidence is blinding us from: automatic updates, antivirus software, network intrusion detection systems... the things we need to focus on but are instead of the belief that we don't need them.
Sebastian Ramadan (3 months ago)
Right... and the cause of the problem should be easy to locate. Some of our more severe bugs are so difficult to locate in the first place that they don't surface as anything more than a "random crash" until many years pass when it's discovered that those crashes are vulnerabilities, and some malware is now using the vulns to spread... those are the ones to watch out for, and they've been documented for a long time too. In this case, it is as you said, pretty much just poor design and not a serious bug in the bigger picture, at least not one that could be automated. As a society we REALLY need to keep putting emphasis on the more serious bugs, too... we can't have Windows XP and MS-Blaster all over again, right?
xXPORTALXx (3 months ago)
+Andrew Frink yeah I agree, the root of the problem isn't really with the scp protocol, it's with server software protection. Ok obviously they shouldn't be able to send you anything they want instead or with your requested files, but it wouldn't make much difference if the file has the same name and type as you requested, but once run takes over your machine. It's a vulnerability, but if the server is compromised it doesn't matter much how it works.
Jeff Smith (3 months ago)
+John Francis Doe If there are any remaining log files on a compromised server it probably wasnt a very sophisticated attack.
leathernluv (4 months ago)
Your .bashrc or similar could do that after being dl'd though. A bash script can dump an executable, run it, that executable escalates privileges and installs VM software so the root kit is undetectable, then installs the root-kit. Now I eat your CPU as I mine for crypto currency on your CPU, not your GPU. F^%$ your identity, I'm getting paid! (Then again, I get that too.) All I have to do is compromise that server people love to SCP from, now they all pay me and it hurts both times. Look up self extracting bash scripts.
Stay EZ My Friends (4 months ago)
I'm going to use this information to make my server malicious right now so I can rek myself.
David Wührer (4 months ago)
You better check yourself before you rek yourself. Why not turn it into a security feature? Have your server's scp overwrite your most precious files every time you access it, just in case someone got access to your lurkstation and maliciously changed them.
Opinion Discarded (4 months ago)
This is a kind of dumb exploit, but I guess it works on noobs with no custom .bashrc files. Unless the attacker gets lateral movement to another host, they're going to get shutdown pretty damn quickly.
David Wührer (4 months ago)
.bashrc is not the only possible target. It could also install something into .config/autostart/.
Das OSi (4 months ago)
can't watch this video, just this one, not on this website, not on kodi, not on my phone...
Black Hermit (4 months ago)
That vulnerability is not that bad, I even recall walking down the street with my dog Naspop and he told me that it would be discovered by the researchers minus all the possibilities already running on that machine. If you run SCP on that, it would never reveal to you its source code, so you should just download it and see for yourself.
John Francis Doe (4 months ago)
David Wührer And you won't get a file named not-at-all-scp-this-is-where-I-keep-important-stuff instead...
David Wührer (4 months ago)
So: scp /usr/bin/scp . You'll surely get the genuine installed program that doesn't hide the trojan at all.
Psdnmstr (4 months ago)
Format Lux (3 months ago)
“Take your dreams seriously.”— Author Unknown
Games14159 (4 months ago)
UPDATE: redacted sections have been revealed to be "buttered" and "croissant".
Masterhitman935 (4 months ago)
Secure copy protocol? Or a cover up?
JetPackJan (4 months ago)
the video is in 360p for me, anyone else? :D
Robert de Bath (4 months ago)
Youtube issue, they recode the videos slowly. When computerphile release "too quickly" the higher resolutions aren't ready yet.

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.