Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-15778 PoC — OpenSSH 操作系统命令注入漏洞

Source
https://github.com/drackyjr/CVE-2020-15778-SCP-Command-Injection-Check
Associated Vulnerability
Title:OpenSSH 操作系统命令注入漏洞 (CVE-2020-15778)
Description:scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Description
This script is a safe and simple tool that helps system users, students, and administrators check if their SCP (Secure Copy) client is vulnerable to CVE-2020-15778, a command injection vulnerability in OpenSSH SCP (versions ≤ 8.3p1).
Readme
### CVE-2020-15778 – OpenSSH SCP Command Injection Vulnerability (Detection Script)

## About

**CVE-2020-15778** is a command injection vulnerability discovered in the `scp` utility provided by OpenSSH (versions ≤ 8.3p1). The issue allows an attacker to execute arbitrary commands on the client system if a crafted destination argument (containing backticks) is passed to `scp`.

This repository includes a **safe detection and simulation script** written in Bash. The script helps users and system administrators:

- Identify whether their system's `scp` version is vulnerable
- Understand how the vulnerability works
- Test and detect risky command inputs (e.g., arguments containing backticks)
- Learn how to mitigate and avoid this vulnerability

## What is CVE-2020-15778?

In OpenSSH `scp`, versions up to 8.3p1 do not properly sanitize destination arguments before passing them to the shell. This allows an attacker to use shell metacharacters like backticks (`` ` ``) to inject arbitrary commands.

### Example of a Malicious Command

```
scp file.txt user@host:`touch /tmp/pwned`/file.txt
```

In a vulnerable SCP version, this will execute `touch /tmp/pwned` on the client’s machine when the command runs.

## Affected Versions

| SCP Version | Status         |
|-------------|----------------|
| ≤ 8.3p1     | Vulnerable     |
| ≥ 8.4p1     | Not Vulnerable |

---

## Script Features

This Bash script performs the following actions:

- Detects the current SCP version installed on the system
- Compares it against version 8.3p1 to determine if it is vulnerable
- Prompts the user to input a sample SCP destination string
- Analyzes the input for unsafe patterns (such as backticks)
- Displays warnings and provides guidance on mitigation

---

## How to Use

### Step 1: Clone or Download the Script

```
git clone https://github.com/drackyjr/CVE-2020-15778-SCP-Command-Injection-Check.git
cd scp-cve-2020-15778-checker
```

### Step 2: Make the Script Executable

```
chmod +x scp_cve_check.sh
```
### Step 3: Run the Script

```
./scp_cve_check.sh
```

## References

- [CVE Record: CVE-2020-15778](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778)
- [OpenSSH Release Notes](https://www.openssh.com/releasenotes.html)
- [Redhat](https://access.redhat.com/security/cve/CVE-2020-15778)
File Snapshot

 [4.0K]  /data/pocs/7dd950747f09675e110e36750e4980554c49c381
├── [ 11K]  LICENSE
├── [2.3K]  README.md
└── [2.3K]  scp_cve_check.sh

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →