|
Message-ID: <51F36FAD.4050601@redhat.com> Date: Sat, 27 Jul 2013 00:58:53 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Sebastian Pipping <sebastian@...ping.org> Subject: Re: CVE request: mysecureshell: local denial of service (or worse) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/25/2013 04:28 AM, Sebastian Pipping wrote: > Hello Kurt, > > > On 25.07.2013 10:33, Kurt Seifried wrote: >> On 07/23/2013 11:19 AM, Sebastian Pipping wrote: >>> mysecureshell [1] is an SFTP-only shell to be used with sshd. >> >>> The latest release 1.31 makes use of shared memory with permissions >>> 666 to maintain 128 slots with one struct for each >>> connection/process. An unprivileged user can mark mark all >>> remaining slots as occupied (and optionally wait for remaining >>> clients to leave to block those slots, too). >> >>> To demonstrate the issue, I have written a small command line >>> tool. It's free software and can be found at [2]. Use it like >>> this: >> >>> # make cc -std=c99 -Wall -Wextra -pedantic local-dos.c -o >>> local-dos >> >>> # ./local-dos USAGE: ./local-dos (block|unblock|show) >> >>> # watch -n 1 -d ./local-dos block [..] >> >>> Besides the local DoS it might be possible to attack the call to >>> chdir, since that is reading from shared memory, too. >> >>> Any ideas on other attacks based on writing to that block of >>> shared memory? File /bin/MySecureShell is mode 4755 setuid root if >>> that makes it more interesting :-) >>> [..] >>> [1] http://mysecureshell.sourceforge.net/ >>> [2] https://github.com/hartwork/mysecureshell-issues >> >> To reiterate: so I can confirm CVE assignments, and prevent duplicate >> assignments you *MUST* provide links to the code commits/vulnerable >> code. I don't have the time to go hunting through your source code for >> them. People need to start making better CVE requests, or you're not >> going to get CVEs from me. >> >> I think if I repeat this enough times it'll work. > > Upstream tarball > ================ > http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz > > > Issue > ===== > Mode 0666 for shared memory, local denial of service > > > Guilty code > =========== > > Online > ~~~~~~ > http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l73 > > Inlined (from SftpServer/SftpWho.c, lines 73 and after) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > //try to join to existing shm > if ((shmid = shmget(key, sizeof(t_shm), 0)) == -1) > if (create == 1) > { > shmid = shmget(key, sizeof(t_shm), IPC_CREAT | IPC_EXCL | 0666); > eraze = 1; > } > > > Please let me know if you need anything more. Thanks for your time! > > Best, > > > > Sebastian > Perfect! Please use CVE-2013-4175 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR82+tAAoJEBYNRVNeJnmTdCQQAJvRAEOpCyo314tT6nbIiMu/ VUk2eHeFsqv5H744x+HjySb8CZVPtZ+dWQnF7LCfeDhWerLrt23OlE6mU7QpJX0b BiiOviQlkwAxyE2CDaMiZBO8mwRQc4soXlWQZD/qOASVpWrHpYlyFOH49cYwA0pA 46fbqmY6BKmdlSSQRKfNGjr2kuhFccMut2CxoGlLqbf1frELTtWZNstcYLHLVUCx dXghNVMVbh1Bs4KYbuCogJcyFy6JQHrpmFtAI1tEOqUNsOJJ7EyShMaicPsw05zq PA/d1GJ9GhdzviEOytfLwNlWqZm+yCnsFvcPEC7pclymDj4honeXb1AyY4FrcILM FiHCtg4HmnNM464Zki5EGice3lJ6haBWGdm7V1v/lWP2KIC8mKh13XbQUCj2AvBm Hjl9DShNpo54OI+6B2SSvdBbOBFBSOzb90Ig1i4XbxjaOKxOeB7z2MA14+dHrXCi 3B3vzGFZfIhUYQySmUtwZQYsiPgKHgu7mvrNpB62uaXmBIr6DJTQ6IWGF6yyusp8 uBrCSI6BX8J4nz9AvUmjSZtzTvDlRtXsysmManSKnbZZfndD3AIwVGPqh9qE8YTE Jqvj/O6hol+yHMd6vCwV5YROtxwJbrbXuGxPLPv2o4YFQ6lizSNMYoLKUUIBBq8E XhvjwtqGlsg+sXAmn8UZ =VarJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.