[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: mysecureshell: local denial of service (or worse)
From: Sebastian Pipping <sebastian () pipping ! org>
Date: 2013-07-25 10:28:53
Message-ID: 51F0FDE5.9010006 () pipping ! org
[Download RAW message or body]
Hello Kurt,
On 25.07.2013 10:33, Kurt Seifried wrote:
> On 07/23/2013 11:19 AM, Sebastian Pipping wrote:
> > mysecureshell [1] is an SFTP-only shell to be used with sshd.
>
> > The latest release 1.31 makes use of shared memory with permissions
> > 666 to maintain 128 slots with one struct for each
> > connection/process. An unprivileged user can mark mark all
> > remaining slots as occupied (and optionally wait for remaining
> > clients to leave to block those slots, too).
>
> > To demonstrate the issue, I have written a small command line
> > tool. It's free software and can be found at [2]. Use it like
> > this:
>
> > # make cc -std=c99 -Wall -Wextra -pedantic local-dos.c -o
> > local-dos
>
> > # ./local-dos USAGE: ./local-dos (block|unblock|show)
>
> > # watch -n 1 -d ./local-dos block [..]
>
> > Besides the local DoS it might be possible to attack the call to
> > chdir, since that is reading from shared memory, too.
>
> > Any ideas on other attacks based on writing to that block of
> > shared memory? File /bin/MySecureShell is mode 4755 setuid root if
> > that makes it more interesting :-)
> > [..]
> > [1] http://mysecureshell.sourceforge.net/
> > [2] https://github.com/hartwork/mysecureshell-issues
>
> To reiterate: so I can confirm CVE assignments, and prevent duplicate
> assignments you *MUST* provide links to the code commits/vulnerable
> code. I don't have the time to go hunting through your source code for
> them. People need to start making better CVE requests, or you're not
> going to get CVEs from me.
>
> I think if I repeat this enough times it'll work.
Upstream tarball
================
http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz
Issue
=====
Mode 0666 for shared memory, local denial of service
Guilty code
===========
Online
~~~~~~
http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l73
Inlined (from SftpServer/SftpWho.c, lines 73 and after)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
//try to join to existing shm
if ((shmid = shmget(key, sizeof(t_shm), 0)) == -1)
if (create == 1)
{
shmid = shmget(key, sizeof(t_shm), IPC_CREAT | IPC_EXCL | 0666);
eraze = 1;
}
Please let me know if you need anything more. Thanks for your time!
Best,
Sebastian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic