'Re: [oss-security] CVE request: mysecureshell: information disclosure (or worse)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: mysecureshell: information disclosure (or worse)
From:       Sebastian Pipping <sebastian () pipping ! org>
Date:       2013-07-25 9:44:07
Message-ID: 51F0F367.8040105 () pipping ! org
[Download RAW message or body]

Hello Kurt,


On 25.07.2013 10:33, Kurt Seifried wrote:
> On 07/23/2013 11:17 AM, Sebastian Pipping wrote:
> > mysecureshell [1] is an SFTP-only shell to be used with sshd.
> 
> > The latest release 1.31 makes use of shared memory to maintain 128
> > slots with one struct for each connection/process. Access to that
> > block of shared memory is not (or not properly) synchronized, so
> > two or more processes might end up occupying the very same slot
> > when process scheduling wants that to happen.  The effective 
> > permissions of the process remain untouched, though.  So it's
> > logging in as someone else and it isn't.
> > 
> > The relevant code from SftpServer/SftpWho.c (lines 106 and after)
> > is:
> > 
> > [cut out, same code below]
> > 
> > The symptoms of this bug have been reported earlier at [2] by forum
> > user "voleg".  To my best knowledge, there is no CVE number
> > assigned yet.
> > [..]
> > [1] http://mysecureshell.sourceforge.net/
> > [2] http://mysecureshell.free.fr/forum/viewtopic.php?id=655
> 
> 
> To reiterate: so I can confirm CVE assignments, and prevent duplicate
> assignments you *MUST* provide links to the code commits/vulnerable
> code. I don't have the time to go hunting through your source code for
> them. People need to start making better CVE requests, or you're not
> going to get CVEs from me.

Upstream tarball
================
http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz



Issue
=====
Race condition, lack of synchronization, user may end up in another
directory.


Guilty code
===========

Online
~~~~~~
http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l107


Inlined  (from SftpServer/SftpWho.c, lines 107 and after)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
for (i = 0; i < SFTPWHO_MAXCLIENT; i++)
    if (who[i].status == SFTPWHO_EMPTY)
    {
        (void) usleep(100);
        if (who[i].status == SFTPWHO_EMPTY)
        {
            //clean all old infos
            memset(&who[i], 0, sizeof(*who));
            //marked structure as occuped
            who[i].status = SFTPWHO_IDLE;
            return (&who[i]);
        }
    }


Please let me know if you need anything more.  Thanks for your time!

Best,



Sebastian


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic