'Re: [oss-security] CVE request: mysecureshell: local denial of service (or worse)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: mysecureshell: local denial of service (or worse)
From:       Sebastian Pipping <sebastian () pipping ! org>
Date:       2013-07-25 10:28:53
Message-ID: 51F0FDE5.9010006 () pipping ! org
[Download RAW message or body]

Hello Kurt,


On 25.07.2013 10:33, Kurt Seifried wrote:
> On 07/23/2013 11:19 AM, Sebastian Pipping wrote:
> > mysecureshell [1] is an SFTP-only shell to be used with sshd.
> 
> > The latest release 1.31 makes use of shared memory with permissions
> > 666 to maintain 128 slots with one struct for each
> > connection/process. An unprivileged user can mark mark all
> > remaining slots as occupied (and optionally wait for remaining
> > clients to leave to block those slots, too).
> 
> > To demonstrate the issue, I have written a small command line
> > tool. It's free software and can be found at [2].  Use it like
> > this:
> 
> > # make cc -std=c99 -Wall -Wextra -pedantic local-dos.c -o
> > local-dos
> 
> > # ./local-dos USAGE: ./local-dos (block|unblock|show)
> 
> > # watch -n 1 -d ./local-dos block [..]
> 
> > Besides the local DoS it might be possible to attack the call to
> > chdir, since that is reading from shared memory, too.
> 
> > Any ideas on other attacks based on writing to that block of
> > shared memory?  File /bin/MySecureShell is mode 4755 setuid root if
> > that makes it more interesting :-)
> > [..]
> > [1] http://mysecureshell.sourceforge.net/
> > [2] https://github.com/hartwork/mysecureshell-issues
> 
> To reiterate: so I can confirm CVE assignments, and prevent duplicate
> assignments you *MUST* provide links to the code commits/vulnerable
> code. I don't have the time to go hunting through your source code for
> them. People need to start making better CVE requests, or you're not
> going to get CVEs from me.
> 
> I think if I repeat this enough times it'll work.

Upstream tarball
================
http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz



Issue
=====
Mode 0666 for shared memory, local denial of service


Guilty code
===========

Online
~~~~~~
http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l73


Inlined  (from SftpServer/SftpWho.c, lines 73 and after)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
//try to join to existing shm
if ((shmid = shmget(key, sizeof(t_shm), 0)) == -1)
  if (create == 1)
    {
      shmid = shmget(key, sizeof(t_shm), IPC_CREAT | IPC_EXCL | 0666);
      eraze = 1;
    }


Please let me know if you need anything more.  Thanks for your time!

Best,



Sebastian


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic