oss-sec mailing list archives
CVE request: mysecureshell: information disclosure (or worse)
From: Sebastian Pipping <sebastian () pipping org>
Date: Tue, 23 Jul 2013 19:17:29 +0200
Hello everyone,
mysecureshell [1] is an SFTP-only shell to be used with sshd.
The latest release 1.31 makes use of shared memory to maintain 128 slots
with one struct for each connection/process.
Access to that block of shared memory is not (or not properly)
synchronized, so two or more processes might end up occupying the very
same slot when process scheduling wants that to happen. The effective
permissions of the process remain untouched, though. So it's logging in
as someone else and it isn't.
The relevant code from SftpServer/SftpWho.c (lines 106 and after) is:
for (i = 0; i < SFTPWHO_MAXCLIENT; i++)
if (who[i].status == SFTPWHO_EMPTY)
{
(void) usleep(100);
if (who[i].status == SFTPWHO_EMPTY)
{
//clean all old infos
memset(&who[i], 0, sizeof(*who));
//marked structure as occuped :)
who[i].status = SFTPWHO_IDLE;
return (&who[i]);
}
}
The symptoms of this bug have been reported earlier at [2] by forum user
"voleg". To my best knowledge, there is no CVE number assigned yet.
Best,
Sebastian
[1] http://mysecureshell.sourceforge.net/
[2] http://mysecureshell.free.fr/forum/viewtopic.php?id=655
Current thread:
- CVE request: mysecureshell: information disclosure (or worse) Sebastian Pipping (Jul 23)
- Re: CVE request: mysecureshell: information disclosure (or worse) Sebastian Pipping (Jul 24)
- Re: CVE request: mysecureshell: information disclosure (or worse) Kurt Seifried (Jul 25)
- Re: CVE request: mysecureshell: information disclosure (or worse) Sebastian Pipping (Jul 25)
- Re: CVE request: mysecureshell: information disclosure (or worse) Kurt Seifried (Jul 27)
- Re: CVE request: mysecureshell: information disclosure (or worse) Sebastian Pipping (Jul 25)