Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 12 Jul 2017 10:43:50 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-11171: gnome-session: Bad reference counting in the context
 of accept_ice_connection() in gsm-xsmp-server.c

Affected package: gnome-session
Affected versions: < 2.29.92

Bad reference counting in the context of accept_ice_connection() in
gsm-xsmp-server.c in old versions of gnome-session up until version
2.29.92 allows a local attacker to establish ICE connections to
gnome-session with invalid authentication data (an invalid magic
cookie). Each failed authentication attempt will leak a file descriptor
in gnome-session.

When the maximum number of file descriptors is exhausted in the
gnome-session process, it will enter an infinite loop trying to
communicate without success, consuming 100% of the CPU. The graphical
session associated with the gnome-session process will stop working
correctly, because communication with gnome-session is no longer
possible.

This was fixed with the following commit:

https://github.com/GNOME/gnome-session/commit/b0dc999e0b45355314616321dbb6cb71e729fc9d

The problem seems to be that upon connection establishment
gms_store_add() is called, but not gsm_store_remove(), even if the
authentication of the ICE connection fails.

You can find a proof of concept program attached.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11171
https://bugzilla.suse.com/show_bug.cgi?id=1048274

Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290

SUSE Linux GmbH 
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

View attachment "ice_dos.c" of type "text/x-c" (3493 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ