Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <706988880.998704.1309292560379.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Tue, 28 Jun 2011 16:22:40 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: security@...nel.org
Subject: Re: CVE request: kernel: taskstats/procfs io
 infoleak (was: taskstats authorized_keys presence infoleak PoC)

----- Original Message -----
> 
> It can be used to learn ssh and ftp password length. If privsep is
> enabled in openssh and vsftpd, the unprivileged process' activity very
> precisely shows password information.
> 
> For vsftpd read characters count is strlen("USER username\r\n") +
> strlen("PASSWD pass\r\n") + 1, where 1 is one byte read from a pipe
> related to a privileged parent. If measure statistics between user and
> passwords commands, actual password length and username length can be
> gathered.
> 
> For ssh, vice versa, networking activity is constant in packets length,
> but interprocess communications, specifically passwords, depend on user
> input.
> 
> For ssh pass_len = wchars - CONST, for vsftpd pass_len = rchars -
> CONST.
> 
> Another daemons with more or less constant io activity might be
> vulnerable too. PAM greatly complicates precise measurements.
> 
> 
> I think it needs 2 CVE, one for /proc/PID/io and another for
> taskstats.
> 
> https://lkml.org/lkml/2011/6/24/88
> 

I can't find a nice description of both issues. Can you give me one or two
sentence explanations with a few references for the CVE database?

Once I have those I'll give it two IDs.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.