Bug 1375941 (CVE-2016-5725) - CVE-2016-5725 jsch: ChannelSftp path traversal vulnerability
Summary: CVE-2016-5725 jsch: ChannelSftp path traversal vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1375955
TreeView+ depends on / blocked
 
Reported: 2016-09-14 09:47 UTC by Martin Prpič
Modified: 2021-10-21 00:55 UTC (History)
58 users (show)

Fixed In Version: jsch 0.1.54
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in JSch that allows a malicious sftp server to force a client-side relative path traversal in jsch's implementation for recursive sftp-get. An attacker could leverage this to write files outside the client's download basedir with effective permissions of the jsch sftp client process.
Clone Of:
Environment:
Last Closed: 2021-10-21 00:55:02 UTC
Embargoed:

Attachments (Terms of Use)
Upstream fix (931 bytes, patch)
2017-12-12 21:44 UTC, Tomas Hoger 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3115 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse/A-MQ 6.3 R5 security and bug fix update 2017-11-03 00:08:36 UTC

Description Martin Prpič 2016-09-14 09:47:44 UTC 
The following flaw was found in jsch:

A malicious sftp server may force a client-side relative path traversal in jsch's implementation for recursive sftp-get allowing the server to write files outside the clients download basedir with effective permissions of the jsch sftp client process.
Comment 1 Martin Prpič 2016-09-14 09:47:52 UTC 
External References:

https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725
Comment 6 errata-xmlrpc 2017-11-02 20:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:3115 https://access.redhat.com/errata/RHSA-2017:3115
Comment 7 Tomas Hoger 2017-12-12 21:41:42 UTC 
This was fixed upstream in version 0.1.54, as noted in the upstream release announcement:

https://sourceforge.net/p/jsch/mailman/message/35318093/
Comment 8 Tomas Hoger 2017-12-12 21:44:03 UTC 
Created attachment 1366981 [details]
Upstream fix

There does not seem to be any public source repository for this project, hence attaching the relevant part of the diff between 0.1.53 and 0.1.54.
Comment 9 Tomas Hoger 2017-12-12 22:05:53 UTC 
This issue only affected Windows and platforms where backslash character '\' is a valid filesystem path separator.  Prior to the fix, a malicious sftp server could send a file with a name containing a sequence of ..\ which was then appended to the local destination directory name and resulted in the directory traversal on those platforms.  The code prior to the patch attempted to locate the last occurrence of slash '/' in the server-provided name to extract base file name to append to the destination directory name.  Therefore, directory traversal using ../ sequence was not possible.

The applied fix is more generic - it checks whether the constructed destination file name contains '..' and performs path name canonicalization if it does, followed by a check to ensure that the path does not point outside of the intended destination directory.
Note You need to log in before you can comment on or make changes to this bug.