oss-sec mailing list archives

Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher

From: Keith Winstein <keithw () MIT EDU>
Date: Tue, 22 May 2012 15:29:17 -0400 (EDT)

Hello,

I am the author of Mosh, and somebody pointed me to your CVE request:http://seclists.org/oss-sec/2012/q2/370

I have not been part of this process before -- do we (the upstream) have arole here?

I don't want to butt in inappropriately, but I also don't want it to seem(by our silence) like we agree with the description in the CVE request.

The writeup is not accurate. We're grateful for the bug report by TimoJuhani Lindfors, but to say "issue confirmed by mosh upstream" makes itsound like we confirm _this_ issue.

We have written about this issue in the URL linked from the request:https://github.com/keithw/mosh/issues/271

In general, the application sending ANSI escape sequences is a trustedparty. It is allowed to do things like disable the user's keyboard bysending "\e[2h", which is interpreted by xterm and Terminal.app.

That's a DoS as well, but (like this one) it's not really a securityvulnerability. Because ANSI escape sequences can do arbitrary things tothe user's terminal, programs that allow untrusted user-to-usercommunication (including write(1), wall(1), and e-mail and newsgroupreaders) need to filter these out.


Here's my suggested text for the issue description:

===

Mosh versions 1.2 and earlier allow an application to cause themosh-server to consume large amounts of CPU time with a short ANSI escapesequence. In addition, a malicious mosh-server can cause the mosh-clientto consume large amounts of CPU time with a short ANSI escape sequence.This arises because there was no limit on the value of the "repeat"parameter in some ANSI escape sequences, so even large and nonsensicalvalues would be interpreted by Mosh's terminal emulator.

===

This gets away from the suggestion that the problem relates to "improperparsing" or the "count of parameters" (it's about wanting a limit on the_value_ of parameters so the terminal emulator doesn't do huge amounts ofwork to execute a very short sequence), or to data coming from "a remoteattacker."


Best regards,
Keith

Current thread:

CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Jan Lieskovsky (May 22)
- Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Kurt Seifried (May 22)
  - Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Stefan Cornelius (Jun 15)
    - Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Kurt Seifried (Jun 15)
- Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Behdad Esfahbod (May 23)
- <Possible follow-ups>
- Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Keith Winstein (May 22)
  - Re: Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Kurt Seifried (May 22)