[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: mysecureshell: local denial of service (or worse)
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-07-27 6:58:53
Message-ID: 51F36FAD.4050601 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/25/2013 04:28 AM, Sebastian Pipping wrote:
> Hello Kurt,
> 
> 
> On 25.07.2013 10:33, Kurt Seifried wrote:
> > On 07/23/2013 11:19 AM, Sebastian Pipping wrote:
> > > mysecureshell [1] is an SFTP-only shell to be used with sshd.
> > 
> > > The latest release 1.31 makes use of shared memory with permissions
> > > 666 to maintain 128 slots with one struct for each
> > > connection/process. An unprivileged user can mark mark all
> > > remaining slots as occupied (and optionally wait for remaining
> > > clients to leave to block those slots, too).
> > 
> > > To demonstrate the issue, I have written a small command line
> > > tool. It's free software and can be found at [2].  Use it like
> > > this:
> > 
> > > # make cc -std=c99 -Wall -Wextra -pedantic local-dos.c -o
> > > local-dos
> > 
> > > # ./local-dos USAGE: ./local-dos (block|unblock|show)
> > 
> > > # watch -n 1 -d ./local-dos block [..]
> > 
> > > Besides the local DoS it might be possible to attack the call to
> > > chdir, since that is reading from shared memory, too.
> > 
> > > Any ideas on other attacks based on writing to that block of
> > > shared memory?  File /bin/MySecureShell is mode 4755 setuid root if
> > > that makes it more interesting :-)
> > > [..]
> > > [1] http://mysecureshell.sourceforge.net/
> > > [2] https://github.com/hartwork/mysecureshell-issues
> > 
> > To reiterate: so I can confirm CVE assignments, and prevent duplicate
> > assignments you *MUST* provide links to the code commits/vulnerable
> > code. I don't have the time to go hunting through your source code for
> > them. People need to start making better CVE requests, or you're not
> > going to get CVEs from me.
> > 
> > I think if I repeat this enough times it'll work.
> 
> Upstream tarball
> ================
> http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz
>  
> 
> Issue
> =====
> Mode 0666 for shared memory, local denial of service
> 
> 
> Guilty code
> ===========
> 
> Online
> ~~~~~~
> http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l73
>  
> Inlined  (from SftpServer/SftpWho.c, lines 73 and after)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> //try to join to existing shm
> if ((shmid = shmget(key, sizeof(t_shm), 0)) == -1)
> if (create == 1)
> {
> shmid = shmget(key, sizeof(t_shm), IPC_CREAT | IPC_EXCL | 0666);
> eraze = 1;
> }
> 
> 
> Please let me know if you need anything more.  Thanks for your time!
> 
> Best,
> 
> 
> 
> Sebastian
> 

Perfect! Please use CVE-2013-4175 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR82+tAAoJEBYNRVNeJnmTdCQQAJvRAEOpCyo314tT6nbIiMu/
VUk2eHeFsqv5H744x+HjySb8CZVPtZ+dWQnF7LCfeDhWerLrt23OlE6mU7QpJX0b
BiiOviQlkwAxyE2CDaMiZBO8mwRQc4soXlWQZD/qOASVpWrHpYlyFOH49cYwA0pA
46fbqmY6BKmdlSSQRKfNGjr2kuhFccMut2CxoGlLqbf1frELTtWZNstcYLHLVUCx
dXghNVMVbh1Bs4KYbuCogJcyFy6JQHrpmFtAI1tEOqUNsOJJ7EyShMaicPsw05zq
PA/d1GJ9GhdzviEOytfLwNlWqZm+yCnsFvcPEC7pclymDj4honeXb1AyY4FrcILM
FiHCtg4HmnNM464Zki5EGice3lJ6haBWGdm7V1v/lWP2KIC8mKh13XbQUCj2AvBm
Hjl9DShNpo54OI+6B2SSvdBbOBFBSOzb90Ig1i4XbxjaOKxOeB7z2MA14+dHrXCi
3B3vzGFZfIhUYQySmUtwZQYsiPgKHgu7mvrNpB62uaXmBIr6DJTQ6IWGF6yyusp8
uBrCSI6BX8J4nz9AvUmjSZtzTvDlRtXsysmManSKnbZZfndD3AIwVGPqh9qE8YTE
Jqvj/O6hol+yHMd6vCwV5YROtxwJbrbXuGxPLPv2o4YFQ6lizSNMYoLKUUIBBq8E
XhvjwtqGlsg+sXAmn8UZ
=VarJ
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]