[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: mysecureshell: information disclosure (or worse)
From: Sebastian Pipping <sebastian () pipping ! org>
Date: 2013-07-25 9:44:07
Message-ID: 51F0F367.8040105 () pipping ! org
[Download RAW message or body]
Hello Kurt,
On 25.07.2013 10:33, Kurt Seifried wrote:
> On 07/23/2013 11:17 AM, Sebastian Pipping wrote:
> > mysecureshell [1] is an SFTP-only shell to be used with sshd.
>
> > The latest release 1.31 makes use of shared memory to maintain 128
> > slots with one struct for each connection/process. Access to that
> > block of shared memory is not (or not properly) synchronized, so
> > two or more processes might end up occupying the very same slot
> > when process scheduling wants that to happen. The effective
> > permissions of the process remain untouched, though. So it's
> > logging in as someone else and it isn't.
> >
> > The relevant code from SftpServer/SftpWho.c (lines 106 and after)
> > is:
> >
> > [cut out, same code below]
> >
> > The symptoms of this bug have been reported earlier at [2] by forum
> > user "voleg". To my best knowledge, there is no CVE number
> > assigned yet.
> > [..]
> > [1] http://mysecureshell.sourceforge.net/
> > [2] http://mysecureshell.free.fr/forum/viewtopic.php?id=655
>
>
> To reiterate: so I can confirm CVE assignments, and prevent duplicate
> assignments you *MUST* provide links to the code commits/vulnerable
> code. I don't have the time to go hunting through your source code for
> them. People need to start making better CVE requests, or you're not
> going to get CVEs from me.
Upstream tarball
================
http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz
Issue
=====
Race condition, lack of synchronization, user may end up in another
directory.
Guilty code
===========
Online
~~~~~~
http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l107
Inlined (from SftpServer/SftpWho.c, lines 107 and after)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
for (i = 0; i < SFTPWHO_MAXCLIENT; i++)
if (who[i].status == SFTPWHO_EMPTY)
{
(void) usleep(100);
if (who[i].status == SFTPWHO_EMPTY)
{
//clean all old infos
memset(&who[i], 0, sizeof(*who));
//marked structure as occuped
who[i].status = SFTPWHO_IDLE;
return (&who[i]);
}
}
Please let me know if you need anything more. Thanks for your time!
Best,
Sebastian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic