Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jun 2011 14:00:08 +0800
From: Eugene Teo <eugeneteo@...nel.org>
To: oss-security@...ts.openwall.com
CC: Josh Bressers <bressers@...hat.com>
Subject: Re: CVE request: kernel: taskstats/procfs io infoleak
 (was: taskstats authorized_keys presence infoleak PoC)

On 06/29/2011 04:22 AM, Josh Bressers wrote:
> ----- Original Message -----
>>
>> It can be used to learn ssh and ftp password length. If privsep is
>> enabled in openssh and vsftpd, the unprivileged process' activity very
>> precisely shows password information.
>>
>> For vsftpd read characters count is strlen("USER username\r\n") +
>> strlen("PASSWD pass\r\n") + 1, where 1 is one byte read from a pipe
>> related to a privileged parent. If measure statistics between user and
>> passwords commands, actual password length and username length can be
>> gathered.
>>
>> For ssh, vice versa, networking activity is constant in packets length,
>> but interprocess communications, specifically passwords, depend on user
>> input.
>>
>> For ssh pass_len = wchars - CONST, for vsftpd pass_len = rchars -
>> CONST.
>>
>> Another daemons with more or less constant io activity might be
>> vulnerable too. PAM greatly complicates precise measurements.
>>
>>
>> I think it needs 2 CVE, one for /proc/PID/io and another for
>> taskstats.
>>
>> https://lkml.org/lkml/2011/6/24/88
>>
> 
> I can't find a nice description of both issues. Can you give me one or two
> sentence explanations with a few references for the CVE database?
> 
> Once I have those I'll give it two IDs.

I have assigned the CVE names for these two issues.

Thanks, Eugene

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ