Date: Wed, 29 Jun 2011 21:21:52 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Andrew Morton <akpm@...ux-foundation.org>, oss-security@...ts.openwall.com, security@...nel.org Subject: Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) On Wed, Jun 29, 2011 at 17:10 +0400, Vasiliy Kulikov wrote: > On Wed, Jun 29, 2011 at 15:11 +0400, Vasiliy Kulikov wrote: > > 2) as you say here: > > > > READ = CONST + SENSITIVE + CONTROLLABLE > > > > If CONST is known and CONTROLLABLE is controlled by an attacker then he > > may find C1 and C1+1 generating X kb - 1 and (X+1) kb traffic, > > (X+1) kb - 1 and (X+1) kb of course, they are rounded to X and X+1 kbs, > respectively. OK, what I've explored: For the same ssh if try to log and send pubkey/password auth requests: read = C1 + (C2 + X)*A + C3*B where 1 <= A+B <= 6, 0 < A, 0 <= B A - number of pubkey requests B - number of password requests C1, C2, C3 - system dependant constants Trying all possible pairs (A,B) I get a set of rounded read_characters. Comparing it with generated table of all possible lengthes and possible inputs (A,B) I learn an interval of possible authorized_keys files sizes. For my system I can learn privkey length because for all possible key len values (768, 1024, 2048) the intervals are different. So, with rounded read_characters value it's possible to learn privkey length. Not a password length, but already something. -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ