Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 27 Jul 2013 00:59:11 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Sebastian Pipping <sebastian@...ping.org>
Subject: Re: CVE request: mysecureshell: information disclosure
 (or worse)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/25/2013 03:44 AM, Sebastian Pipping wrote:
> Hello Kurt,
> 
> 
> On 25.07.2013 10:33, Kurt Seifried wrote:
>> On 07/23/2013 11:17 AM, Sebastian Pipping wrote:
>>> mysecureshell [1] is an SFTP-only shell to be used with sshd.
>> 
>>> The latest release 1.31 makes use of shared memory to maintain
>>> 128 slots with one struct for each connection/process. Access
>>> to that block of shared memory is not (or not properly)
>>> synchronized, so two or more processes might end up occupying
>>> the very same slot when process scheduling wants that to
>>> happen.  The effective permissions of the process remain
>>> untouched, though.  So it's logging in as someone else and it
>>> isn't.
>>> 
>>> The relevant code from SftpServer/SftpWho.c (lines 106 and
>>> after) is:
>>> 
>>> [cut out, same code below]
>>> 
>>> The symptoms of this bug have been reported earlier at [2] by
>>> forum user "voleg".  To my best knowledge, there is no CVE
>>> number assigned yet. [..] [1]
>>> http://mysecureshell.sourceforge.net/ [2]
>>> http://mysecureshell.free.fr/forum/viewtopic.php?id=655
>> 
>> 
>> To reiterate: so I can confirm CVE assignments, and prevent
>> duplicate assignments you *MUST* provide links to the code
>> commits/vulnerable code. I don't have the time to go hunting
>> through your source code for them. People need to start making
>> better CVE requests, or you're not going to get CVEs from me.
> 
> Upstream tarball ================ 
> http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz
>
> 
> 
> Issue ===== Race condition, lack of synchronization, user may end
> up in another directory.
> 
> 
> Guilty code ===========
> 
> Online ~~~~~~ 
> http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l107
>
>  Inlined  (from SftpServer/SftpWho.c, lines 107 and after) 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ for (i =
> 0; i < SFTPWHO_MAXCLIENT; i++) if (who[i].status == SFTPWHO_EMPTY) 
> { (void) usleep(100); if (who[i].status == SFTPWHO_EMPTY) { //clean
> all old infos memset(&who[i], 0, sizeof(*who)); //marked structure
> as occuped who[i].status = SFTPWHO_IDLE; return (&who[i]); } }
> 
> 
> Please let me know if you need anything more.  Thanks for your
> time!
> 
> Best,
> 
> 
> 
> Sebastian
> 

Perfect! Please use CVE-2013-4176 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR82+/AAoJEBYNRVNeJnmThkMP/jWgKyNVGCxwpmRDg5SRVcl6
J1kxIYH3CZeANoy7HWqaABq4S+qLTImsfT/6/THUPEUqnN4sEzOKabwp0EDdt7xR
R6nCEgo9Nsju5dHwe5dpJJDS3vWw5pu/KdLtTZ5ynmIvhsgW6Cu7vFMbOkOH5qgL
3jUtilE2bZPoC/ifY7RljgO0OL2IvYqYP80du+iLBPMWLKxr376Smhdd6uvXxHAC
U/tExCZs6LWJkH+1VPP7dywEBN95PY7XdEbKyBKAYtGiu+GH0mR1KtsbthGYio6U
xZn5xZdDH8HBUkVeZLAknFUnNpdKYqOeVXieXhXDg6STFNDRsRKcx6iqRY+FlSwd
YBRhnNcVS8Bsc3HeK1RIxX6rOQkM7e7cUlkJVUm4+zhm9xb31LOiy1hEi8yXbNTb
Exu30w0yxWCEdiyLiy45jGlBBQXEQMC3PkGBdcx8Fla2cthI0Pa+OWUOluYvCurV
oJGSf5bQsEVlL8ZU2zoyEt1OKb1zMoyEtgMFxwFNnCAvwcLZHlq1J4bh1I8wMMNs
Je3Es+xNVa2BAF1VuYvGcxbGLR4HYoS3krOB15wmHWydekH0DeLqSFQBARc/vGjE
eUj2fjTVZuQR3smund8XdpYKejxeO00CifJA0R8t+YlmRTP+ouDgKzrddLrmAOPS
bMNGh6fOM8PtCqo8N8Is
=yM09
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.