HomeОбразованиеRelated VideosMore From: Computerphile

Secure Copy Vulnerability (SCP) - Computerphile

2649 ratings | 82703 views
Secure Copy is flawed, and the flaw goes back over 30 years. Dr Steve Bagley explains just how 'secure' it is. https://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: https://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Html code for embedding videos on your blog
Text Comments (283)
Sebastian Ramadan (13 days ago)
Ah, haha, input validation error... nice.
[Accessing to SCP-079] [Loading...] [Access Denied]
Emmett Turner (18 days ago)
Couldn’t help but notice that you called the period “full stop” ever since I learned that you guys think of a menstral cycle when a North American says “period.” :)
chroma (19 days ago)
I sort of consider it a lost cause once an infiltrator has attained superuser access to a peer host anyway as they could also just alter the content of the sensitive file(s) you intend to retrieve and achieve the same result.
Matthew Johnson (20 days ago)
how often do you ssh to a remote server that isnt yours and start coping files? not much for me...
Format Lux (21 days ago)
“You cannot save people, you can just love them.”
hmmm (22 days ago)
Magic-wormhole anyone?
Tomas Brod (23 days ago)
Poor design.
Joshua (25 days ago)
Wow, that does not sound too complicated. Maybe just make an alias on the server for scp to make it transfer something else.
Anthony Lewis (25 days ago)
Pro tip: don't connect to servers that might be compromised.
BroTGM Films (27 days ago)
I’m offended
Konev God (27 days ago)
How to make HQ dorks ??
redline (30 days ago)
well its just cp if its not secure then
David Somers-Harris (30 days ago)
I don't think I've ever pulled files using scp. I always push, because I often need to access the remote server first to check the file path and names anyways.
hytlerson (30 days ago)
20MB/s not that fast...WTF
Patrick McDermott (1 month ago)
This is one of my favorite Computerphile teachers
KooriShukuen (1 month ago)
I think this might be one of the most technical Computerphile videos, oddly enough.
ZipplyZane (1 month ago)
If it can't go up the directory structure, then just always download files into their own directory, then move the result out of the directory to your desired location, and then wipe the directory. Just to be sure.
leathernluv (1 month ago)
To sum up: When writing client code, treat it like server code. If the server should never trust the client, the client should never trust the server! Man, does all this make me *almost* miss null modem connections before the internet. Look up *self extracting bash scripts*.
Juan Diego Calle (1 month ago)
does rsync over ssh has the same problem?
Robert de Bath (1 month ago)
Yes.
zwz • zdenek (1 month ago)
It's surely bad that it can write self-launching files, but you should always make a judgement whether you trust a server you download from or not. It's not much worse than any kind of malicious server. It could just send you droppers and the effect would be the same. I don't see them patching away the executable bit since that would break the faithfulness of the copying process.
y2ksw1 (1 month ago)
I never used scp ... though I find it very funny, that this kind of bug is there for so long, and my question now is, how many more standard commands are affected?
ze yama marlos !!! (1 month ago)
Scp...
Justin O'Brien (1 month ago)
This sounds zackly like the GNU-Emacs cuckoo egg "feature".
Fopenplop (1 month ago)
anyone else think Steve Bagley is a snack and a half?
Warp Zone (1 month ago)
Item #: SCP-25519 Object Class: Euclid Special Containment Procedures: Instances of SCP-25519 are stored in an un-powered state within a high-value materials locker at Site-15. A cover story of a security vulnerability in the Secure Copy Protocol has been disseminated to explain away the anomalous behavior and encourage the replacement of the protocol. Mobile Task Force Mu-4 ("Debuggers") is tasked with the recovery or destruction of all remaining instances. Description: SCP-25519-1 is a Macbook Pro formerly owned by Dr. █████ ██████. When a valid Secure Copy request is sent from this device to another terminal, all computers with the same IP address as the target terminal, everywhere in the world, attempt to execute this request simultaneously, regardless of their physical location or network configuration. Up to ██ additional instances of SCP-25519 are believed to be currently operational, based on the current rate of anomalous file transfers. It is speculated that creating a new instance of SCP-25519 requires significant, but not insurmountable resources, based on the current rate of increase in anomalous activity worldwide. By order of the O-5 council, Foundation usage of SCP-25519 to eliminate other instances is considered a last resort to prevent a BK-Class Public-Awareness scenario, should the rate of anomalous requests exceed █% prior to the widespread replacement of the Secure Copy Protocol.
Michael Lin (1 month ago)
They just HAD to name it `scp`.
tony tromp (1 month ago)
So.. would alias work as well? If you know the full command, could you alias it to downlod something else?
DusteDs Stuff (1 month ago)
* a file that is run every time I open up a bash shell (which is presumably all the time)
Jari Komppa (1 month ago)
"Niska" means "neck" in finnish.
Sinan Akkoyun (1 month ago)
Is it patched?
ViralTaco (1 month ago)
I just use sftp… Didn't ever really pay attention to scp
thrillscience (1 month ago)
why are you using passwords instead of a keypair?
Robert de Bath (1 month ago)
He's using a passworded key file (check the ssh log) though I would expect him to be using an agent too.
Alexander McColl (1 month ago)
So the solution is a hash check on the files or if the overhead on that is too much a 'which scp' check on the server?
John Francis Doe (1 month ago)
Alexander McColl It's not about file _content_ it's about the _filename_ !
LimeGreenTeknii (1 month ago)
So you're saying there's been an SCP containment breach.
why tho? (1 month ago)
SCP-■■■■ BREACHED CONTAINMENT ON-SITE NUCLEAR WARHEAD CODENAME : FOX-■■ WILL BE DETONATED IN 2 MINUTES
Roshin Varghese (1 month ago)
I wish he demonstrated the flaw by sending back a different file to the client
asailijhijr (1 month ago)
Another long-term security hole that we can assume the NSA knew about but didn't tell us.
Ian Maddox (1 month ago)
So you ask for one thing and get something completely different? If that's a vulnerability, I've been pwned by pretty much every Burger King drive through.
John Francis Doe (1 month ago)
Ian Maddox You ask for a burger in your hand but get a live handgrenade thrown into the back seat, because somehow the bullet proof glass between front and back seat automatically opens up whenever you stick your head out the front window, just in case you were ordering extra burgers.
haploide allel (1 month ago)
Hello @Computerphile, i would like to make a request about subtitling. There seems to be no CC/subs at all on your videos. I wonder if that is by choice, or that it might have never occurred to you that it is not activated... Would you mind considering activating the CC/subs on your videos, even if that means 'crappy' autoCC? Because even with the quality lacking autoCC'ing, it would still help us viewers understanding your content even better. Also, it might help you reach an audience that really relies on CC/subs (the hard of hearing and all); but also the part of your audience that might not be fluent in english (Dutchie myself here)... Thank you for all the trouble and effort you put into making these great informative videos; hopefully, i don't come across as 'entitled'. If so, i blame the language barrier ;)
Tamzagha4ever (1 month ago)
SCP stands for the SCP Foundation, wth is wrong with this channel
QuantumOverider (1 month ago)
Meh gota break ssh to get in first, before sending bad commands. Linux premission has loop hole too, no one worries about it.
David Wührer (1 month ago)
No, it doesn't matter how you get in. Could be as simple as physical access while the admin is distracted. Once you are in, this is a way with which you can get into other machines automatically. And what loop hole are you talking about? The second most widely used operating system in the world after MINIX has a lot of people who are paid to take any even potential vulnerability very seriously.
otiagomarques (1 month ago)
just use iCloud, man
otiagomarques (1 month ago)
+David Wührer *AirDrop
David Wührer (1 month ago)
There is no cloud. There is only other people's machines.
Reckless Roges (1 month ago)
and that's why we use rsync
Paul Campbell (1 month ago)
Surely one would consider making the .bash* files read only? As those files exist, unless I'm mistaken attempting to overwrite them would be governed by the existing files perms? Alternatives are to harden bash so that it will only execute a .bash_profile with user read and execute perms and prevent SCP from setting file modes on downloads to +x
John Francis Doe (1 month ago)
Paul Campbell Making the profile scripts executable is not standard. And they are not required to exist, so a remote server could silently drop one you don't already have.
Paul Campbell (1 month ago)
Hard to solve for instances like: scp -r [email protected]:/some/directory/ someLocalDir/ You haven't asked for any particular file so you can't validate what you receive. You mention "that the files sent match the wildcard". This is obviously impossible if the sshd binary has been compromised it will just send the directory listing to include it's active payload file.
John Francis Doe (1 month ago)
Paul Campbell The client /usr/bin/ssh must never trust the remote /usr/sbin/sshd to obey the protocol (except to the detriment of said remote itself). If you don't request X11 forwarding, no X11 should be forwarded. If you request forwarding local port 11111 to remote port 22222, nothing should happen to local port 33333. Ditto with the scp plugin to ssh.
David Wührer (1 month ago)
If your wildcard is an asterisk. It might be something else.
b1g bo1 (1 month ago)
ITS 137 RUN
Joshua Nelson (1 month ago)
SCP-079
My scp doesn't have a version because it's a part of openssh... And its version is 7.9p1-1.
Staś (1 month ago)
You'd have to have SIP feature disabled to replace /usr/bin/scp, so not that easy on osx
John Francis Doe (1 month ago)
Staś Never mind OS/X. This is across all brands of server with all kinds of changes on them.
AlagaiKa (1 month ago)
I am somehow baffled by the comments here. 1) Just because the exploit needs to first get access to one system in order to then be able to affect others, this does not make it harmless. That's how most malware acts and it can be a serious vector of attack. 2) The step from being able to serve malicious file content to being able to save the file content in a location that the user did not intend is not trivial. If i copy a file from an untrusted source I know not to blindly execute it or open it with some complex program that might have a vulnerability that is triggered by malicious content. I do, however, expect that I should be able to receive a file from a remote system, open it with a simple text editor on my machine that I trust, and delete it afterwards - without being exposed to a security risk, no matter how malicious the server is.
Secure Contain Protect
subliminalvibes (1 month ago)
You down with SCP? YEAH, YOU KNOW ME!
Robert de Bath (1 month ago)
Hey Steve, why aren't you using ssh-agent?
Aleks D (1 month ago)
SCP does have a security flaw. You don't want to be trapped with SCP-173
Sourav Goswami (1 month ago)
I didn't understand. It seems so obvious. It's a feature. Say you want to download a PDF (from Linux server) and you got a virus PDF (on windows). Almost the same thing! If you modify rpi.img file and patched it with keyloggers, yeah, you download that! Isn't it obvious? I have a .bashrc file with a big PS1 variable, and I like that, and I need my aliases on other machine. I copy .bashrc file to another machine. And I need to do that, and SCP should allow me to do that. If you make mistake, you made mistake. If you remove / with rm, you don't say it's a rm bug, you are solely that bug who can do whatever. So I think it's a SCP feature. Where's the bug then?
David Wührer (1 month ago)
The bug is that the server can send you a file you didn't ask for. Not just a different content, a different file name as well.
Robert de Bath (1 month ago)
Seriously! This is considered a bug! It's how the thing is documented to work. (Though I'll admit there's been some dumbing down of more recent manual pages) The documentation still implies that the SCP command is run on the machine that the files are coming from and that sends the files to the destination. There's even an option on recent scp (the "-3") to proxy through the current machine for when "remote1" cannot connect to "remote2" but "localhost" can. EDIT: ... You can invoke this so called bug by adding scp() { exec /usr/bin/scp "[email protected]" /etc/passwd; } rsync() { exec /usr/bin/rsync "[email protected]" /etc/passwd; } to the top of your .bashrc, yes rsync has it too. PEBKAC error IMO. Oh well, I suppose PEBKAC workarounds are the vast majority of a programmer's work.
Robert de Bath (1 month ago)
​+John Francis Doe Actually, I just tried this with "rsync 'raspian1:hello world.txt' ." it gave me the "hello" file. So rsync has this so called bug too. EDIT: ... You can invoke this _so called bug_ by adding scp() { exec /usr/bin/scp "[email protected]" /etc/passwd; } rsync() { exec /usr/bin/rsync "[email protected]" /etc/passwd; } to the top of your .bashrc
Robert de Bath (1 month ago)
+John Francis Doe Actually, that is exactly the relevance. With *Z*modem you run a command on the shell, just like scp and that command sends the filenames back to your terminal emulator using it's autostart sequence. Like I said in the other message, the OpenSSL documentation glosses over the fact.
John Francis Doe (1 month ago)
Robert de Bath Once again. Thar SCP is run as a subprocess on the remote is as irrelevant as XMODEM being run on the remote. It's about the remote unexpectedly controlling the local file name!
Will Ferrous (1 month ago)
Guys, I have a joke. The ethics committee.
Whomping Walrus (1 month ago)
Fortunately most SCP usage in the wild isn't with an untrusted server.
David Wührer (27 days ago)
How would you know if a server you trust has been compromised?
Whomping Walrus (1 month ago)
+David Wührer The opposite.
David Wührer (1 month ago)
You trust compromised servers?
jamcdonald120 (1 month ago)
wouldnt this work fine even if scp was fine? The server provides everything, length, check sum, and bits, we have no way to verify the server didnt hand wave the file? is the exploit that it can change the name of the downloaded file?
jamcdonald120 (1 month ago)
I see, that makes sense
David Wührer (1 month ago)
Yes. You don't have control over the file content, but at least you should have control over where the file is put.
jamcdonald120 (1 month ago)
+David Wührer ah i see, where as a bad server could just serve a bad file, but with the requested name?
David Wührer (1 month ago)
No, the vulnerability is that it can serve you any file with any name that you didn't ask for.
RunItsTheCat (1 month ago)
Dee boiz got the omni key
LMacNeill (1 month ago)
Unix was written by a couple of guys who were on an internal company network -- AT&T in particular. They never imagined it would not only be installed on many networks AT&T didn't own, but that it would quite literally become the backbone of the Internet! They simply did not imagine the security issues that we continually run into -- even 40 years later! It's so fascinating to see how these things crop up - and makes me wonder what will be next! ;-) Excellent video, as usual, Computerphile.
David Wührer (27 days ago)
@RonJohn63 This particular problem has nothing to do with C. And I would argue that they are part of UNIX, even though they are not part of the POSIX specification nor necessary for a Unix certification.
realcygnus (30 days ago)
yup its amazing how clever those dudes were. It was built from the ground up, for need(pure purpose), not on a budget, with time constraints or superficial bells & whistles to appease a marketing team etc. All of the practical considerations they made for multi-user/multi-tasking/portability/scalability/reliability etc. & so very long ago, most anything else was(still is) a mere toy by comparison imo.
RonJohn63 (1 month ago)
scp and ssh are not part of Unix. (However, the C language is at the root of all these problems. You wouldn't see them if stricter languages were used.)
William Dye (1 month ago)
If you use SCP a lot, consider pronouncing it as "skip". syllable_count+=-2
John Redberg (1 month ago)
Ugghh, I just watched a tutorial where the guy pronounced commands ending in "ctl" as "kettle" and "ifconfig" as "if-config" (like the conditional conjunction). Just terrible. It shouldn't take a peach from uklah to know the diff btw an abbrev and an ACRON.
William Dye (1 month ago)
Yep; except in Bash, which is where I'm usually using scp.
BuckieTheCat (1 month ago)
Or syllable_count-=2 Just saved an entire character
David Wührer (1 month ago)
I never pronounce it. I type it in.
MrMalchore (1 month ago)
What if you change permissions of your bash_profile or bashrc to be not writable? Once they're set up proper you don't often make changes so it's not unreasonable to force yourself to manually change the permissions to+WRITE if you really want to make a change.
Angelo Pengue (1 month ago)
It is naive to believe that only those files can be changed.
Baby Bop (1 month ago)
MrMalchore that only protects those files though
pranav kumar (1 month ago)
Can you give an example of software and explain that will replace the scp at remote server, please
Robert de Bath (1 month ago)
Use SFTP. It's designed for untrusted services.
Did he say SEC or SCP? 🤔 I actually clicked thinking he was talking about STD.
sesc79 (26 days ago)
Standard deviation?
Marco D'Agostini (1 month ago)
Is Rsync safe? or does it use scp on the background?
Robert de Bath (1 month ago)
Rsync does NOT use scp, it uses ssh (or some other remote execution command with a similar interface or just a socket). It is _probably_ safe to use with untrusted hosts as the documentation specifically excludes the case where both source and destination are remote. This implies it works more like sftp rather than scp where "scp remote1:file.gz remote2:dirname" is EXACTLY THE SAME as "ssh remote1 scp file.gz remote2:dirname"
Chetar Ruby (1 month ago)
I would say this is a mostly useless exploit, as it does require you compromise at least one machine in some other way first. But fascinating none the less and I'm always happy to see disclosure of known flaws that could be potential exploits.
Reth Tard (1 month ago)
You shouldn't underestimate the real hackers about what they can achieve using these "useless exploits".
Jonas D. Atlas (1 month ago)
I assume the reason it believes that filename is because of "scp -r" in which case it needs to believe the server. You would probably notice, though - scp prints out the name of every file you copy, after all. Also, if a server you're connecting to and copying files from is compromised or actively trying to attack you (mind you, this probably requires root to access /usr/bin on the server) you've probably got worse problems than this.
Jonas D. Atlas (1 month ago)
+John Francis Doe That's... not pretty. I took the time to actually read through the paper a minute ago and have to agree that's a bit worse than it seems just from this video - they only talked about CVE-2019-6111, not the other three, presumably because the others would take longer to explain. Ability to change the directory permissions could get a bit ugly depending on the directory you're running scp in, and I agree that the fact that scp doesn't filter control codes at all makes it easy to hide what you're doing. Still, most people probably won't scp from a compromised or untrusted system - although I could think of some scenarios in which you might, but it's probably not going to happen that often.
John Francis Doe (1 month ago)
Jonas D. Atlas Two of the 4 vulnerabilities in that paper attacks the printing of file names. Another attacks something that isn't even printed (permissions on the target directory).
Tytan64 (1 month ago)
Do you think it's bad practise to "cat /path/to/file | ssh [email protected] "cat > path to file"" or "ssh [email protected] "cat /path/to/file" | cat > /path/to/file" to transmit files from or to other machines?
Tytan64 (1 month ago)
+David Wührer thanks for sharing your thoughts and experience :)
Tytan64 (1 month ago)
+Robert de Bath thanks for sharing your thoughts and experience :)
David Wührer (1 month ago)
I think it is bad practice to enter that every time, rather than wrapping it in an executable script in your PATH.
Robert de Bath (1 month ago)
That's fine, as is sftp for an untrusted server. The "problem" with SCP is in it's manual (so this is a PEBKAC), the SCP command is sent to the file source host and that host sends the file.
KÆSHΔV DΔNΞSH (1 month ago)
The foundation wants to know your location.
Noah Whelpley (1 month ago)
SCP-079 boutta breach containment with this bug
xXD1GxDUGXx (1 month ago)
There's a containment breach in your computer.
Martin Mehawk (1 month ago)
Secure. Contain. Protect.
Philipp Blum (1 month ago)
So, you have to attack the other system to attack another system. I see this very unlikely to happen. If you are able to execute command on the other machine, you will already have enough other problems. But of course: should be fixed. How about rsync?
David Wührer (1 month ago)
It is not unlikely to happen at all. If you want to infect a lot of systems, you have to start with one.
chaoslab (1 month ago)
But... But... I thought SCP stood for Secure Contain Protect! /joke
dasten123 (1 month ago)
You know it's secure if it has an "s" in the name
Ilja Sara (1 month ago)
Gregery Barton (1 month ago)
They should stop putting 'secure' in the name of software.
David Wührer (1 month ago)
scp is a secure replacement for rcp. Nobody uses rcp anymore. What name would you suggest for a more secure copy program that is intended to replace the blatantly insecure remote copy program named rcp?
Niko L (1 month ago)
dash. it's called a dash.
Jakob Lindskog (1 month ago)
cat /etc/exploits | sort -R | head -n 1 | computerphile --steve keep em exploits vids coming boii don't break the pipe
Jakob Lindskog (1 month ago)
+John Redberg no, Steve would be sad
John Redberg (1 month ago)
... > /dev/null
Darthane (1 month ago)
Interesting video. Thanks for the heads up about this particular one. I use WinSCP on a daily basis, but of course in this instance I trust the machine I'm connecting to not to have malicious code on it.
Kerns Noel (1 month ago)
Umm Honestly.. the problem I have is that the control of 'what the user receives & is able to see' aren't exactly one in the same. I would rather not allow the program the ability to deliver whatever file it wanted under what data it wants.. seems flawed logic from a security standpoint, if all you have to do is alter the scp/rcp program to deliver a modified crc & file instead.. so that every file could literally have code executed from a program or trackers installed... even from a clean storage source.
Kerns Noel (1 month ago)
+David Wührer Never said it executed code. but unless you've a way to verify the file.. it'd likely get executed anyways (given how few anti-virials there are for Linux based systems) the fundamental problem isn't the 'state' of the server (as quite honestly a smart hacker a devious hacker isn't going to give away the ground zero of the infection/malware... they'll cloak it if possible) and say it's a file server of some kind for a school, or another kind of organization... The issue is that the 'host of the entire problem' the compermised server will never show any problems, and even if the files are examined, and unless the scp/rcp code & files are strictly examined, the infections & issues will continue.
David Wührer (1 month ago)
Why do you mean? To alter the scp you already need root. And of course it can deliver whatever it wants. That is what it is there for. It doesn't execute code on the client machine. But it can overwrite a file that will be executed by some other process. That may be the user's intention.
David Chipman (1 month ago)
I love these detailed security bug videos Dr. Bagley does! Don't want to ask for more though.
Flare03l (1 month ago)
I always use rsync nowadays
TheGrimElite Gamer (1 month ago)
Remember, don't blin- *C R O N C H*
mistercohaagen (1 month ago)
Jaylah ; ) You lovely dork, you.
Zaphod Breeblebrox (1 month ago)
Sounds like bad things could be put in the | pipe perhaps too, in regards to the command run on the remote machine.
Robert de Bath (1 month ago)
Exactly. "scp remote1:file.gz remote2:dirname" is EXACTLY THE SAME as "ssh remote1 scp file.gz remote2:dirname"
Web Dog (1 month ago)
Yeah but this applies to everything else on a malicious server too. How do you know a mail server isn’t injecting malicious code that exploits a 0-day on your email client?
Sebastian Ramadan (13 days ago)
This is called minimalisation. If this bug were in your web browser, your browser might think it's downloading and storing a .gif or .jpg file into a temporary folder where instead it is downloading a boot.ini into your windows directory... how does that sound? Right, the browser needs to properly sanitise and validate everything that the server responds with... just like all other client software.
Kraio (1 month ago)
You know what that emoji (your profile picture) means, right?
John Francis Doe (1 month ago)
Web Dog BINGO, and this is a 0-day in the SCP client, and the idiots in this video are publishing before the fix is available, which is almost universally recognized as highly irresponsible.
Robert de Bath (1 month ago)
+Z3U5 Nope, not checksums. Signed checksums maybe, but that leads you to certificates and CAs and eventually "reflections on trusting trust".
oskado95 (1 month ago)
I just know Dr. Bright is somehow responsible for this
Nodymus (1 month ago)
And as we know chainsaw is the only solution
Maverick3334 (1 month ago)
I think its Dr.Maynard
Phy (1 month ago)
I'd ask the owner of the server to come with me to a certain Ikea store for some furniture...
TYKUHN2 (1 month ago)
This vulnerability doesn't seem particularly bad. Poorly designed? Sure. but it does rely on breaching the server and being able to write to /usr/bin with the breach.
Sebastian Ramadan (13 days ago)
To put this into perspective, before MS-Blaster many people were of the opinion that a virus could not automatically execute when attached to an email... now we can observe this in behaviour nowadays, many people think they are safe on the web if they simply avoid the "shadier" parts of the web... or if we use some particular OS instead of another... or maybe we prefer some particular browser... it's the same flaw, in our human brains, causing us to have some blinding false sense of confidence. The false confidence is ultimately the problem we need to overcome as society, so that we can see the things that the confidence is blinding us from: automatic updates, antivirus software, network intrusion detection systems... the things we need to focus on but are instead of the belief that we don't need them.
Sebastian Ramadan (13 days ago)
Right... and the cause of the problem should be easy to locate. Some of our more severe bugs are so difficult to locate in the first place that they don't surface as anything more than a "random crash" until many years pass when it's discovered that those crashes are vulnerabilities, and some malware is now using the vulns to spread... those are the ones to watch out for, and they've been documented for a long time too. In this case, it is as you said, pretty much just poor design and not a serious bug in the bigger picture, at least not one that could be automated. As a society we REALLY need to keep putting emphasis on the more serious bugs, too... we can't have Windows XP and MS-Blaster all over again, right?
xXPORTALXx (21 days ago)
+Andrew Frink yeah I agree, the root of the problem isn't really with the scp protocol, it's with server software protection. Ok obviously they shouldn't be able to send you anything they want instead or with your requested files, but it wouldn't make much difference if the file has the same name and type as you requested, but once run takes over your machine. It's a vulnerability, but if the server is compromised it doesn't matter much how it works.
Jeff Smith (30 days ago)
+John Francis Doe If there are any remaining log files on a compromised server it probably wasnt a very sophisticated attack.
leathernluv (1 month ago)
Your .bashrc or similar could do that after being dl'd though. A bash script can dump an executable, run it, that executable escalates privileges and installs VM software so the root kit is undetectable, then installs the root-kit. Now I eat your CPU as I mine for crypto currency on your CPU, not your GPU. F^%$ your identity, I'm getting paid! (Then again, I get that too.) All I have to do is compromise that server people love to SCP from, now they all pay me and it hurts both times. Look up self extracting bash scripts.
Stay EZ My Friends (1 month ago)
I'm going to use this information to make my server malicious right now so I can rek myself.
David Wührer (1 month ago)
You better check yourself before you rek yourself. Why not turn it into a security feature? Have your server's scp overwrite your most precious files every time you access it, just in case someone got access to your lurkstation and maliciously changed them.
Opinion Discarded (1 month ago)
This is a kind of dumb exploit, but I guess it works on noobs with no custom .bashrc files. Unless the attacker gets lateral movement to another host, they're going to get shutdown pretty damn quickly.
David Wührer (1 month ago)
.bashrc is not the only possible target. It could also install something into .config/autostart/.
Das OSi (1 month ago)
can't watch this video, just this one, not on this website, not on kodi, not on my phone...
Black Hermit (1 month ago)
That vulnerability is not that bad, I even recall walking down the street with my dog Naspop and he told me that it would be discovered by the researchers minus all the possibilities already running on that machine. If you run SCP on that, it would never reveal to you its source code, so you should just download it and see for yourself.
John Francis Doe (1 month ago)
David Wührer And you won't get a file named not-at-all-scp-this-is-where-I-keep-important-stuff instead...
David Wührer (1 month ago)
So: scp /usr/bin/scp . You'll surely get the genuine installed program that doesn't hide the trojan at all.
Psdnmstr (1 month ago)
This really [REDACTED] my [DATA EXPUNGED]
Format Lux (21 days ago)
“Take your dreams seriously.”— Author Unknown
Games14159 (1 month ago)
UPDATE: redacted sections have been revealed to be "buttered" and "croissant".
Masterhitman935 (1 month ago)
Secure copy protocol? Or a cover up?
JetPackJan (1 month ago)
the video is in 360p for me, anyone else? :D
Robert de Bath (1 month ago)
Youtube issue, they recode the videos slowly. When computerphile release "too quickly" the higher resolutions aren't ready yet.
John Francis Doe (1 month ago)
WAIT, WHY ARE YOU PARTICIPATING IN IRRESPONSIBLE DISCLOSURE BEFORE THE PATCH HAS BEEN PORTED AND BUILT FOR ALL MAJOR DISTRIBUTIONS!
Robert de Bath (1 month ago)
Because it's a PEBKAC bug, it's in the manual.
Major Gnuisance (1 month ago)
Are your saying people shouldn't discuss vulnerabilities that are already publicly known before they're patched everywhere? Ridiculous. If anything, this video is doing a public service by raising awareness of the vulnerability so people can take precautions against it.
Mir5 (1 month ago)
lol wat
Tyler Swagar (1 month ago)
Who's copying files from an untrusted SSH server though?
Sebastian Ramadan (13 days ago)
Who thinks to check if the server they're copying files from has been hacked before copying files from it? Do you do that, Tyler? Or is every machine you copy files from considered "untrusted" owing to the possibility that it could have been hacked? I'd rather see things like the latter description... dunno about you.
Daniel Dawson (1 month ago)
True, but I'm thinking about the case where the attacker owns the actual server you're trying to connect to. Maybe that's unnecessarily paranoid, but it's not out of the realm of possibility, right?
Tyler Swagar (1 month ago)
+Daniel Dawson I only brought up the fingerprint to point out that there's no way to man-in-the-middle and connect to a rogue server the attacker controls or something.
Daniel Dawson (1 month ago)
So, changing only the executable changes the fingerprint? AFAIK, the host key is generated and stored under /etc/ssh when setting up the server, and the fingerprint helps detect that you're connecting to some other host than you thought you were, but not necessarily a changed server on the _same_ host. I admit I don't know this stuff for sure, though. Well, you have a point about an attacker having root. You mean replace a file on the server side? But that wouldn't cause you to receive a file with a different name, would it? Am I missing something?

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.