oss-sec mailing list archives
CVE request: mysecureshell: local denial of service (or worse)
From: Sebastian Pipping <sebastian () pipping org>
Date: Tue, 23 Jul 2013 19:19:31 +0200
Hello everyone,
mysecureshell [1] is an SFTP-only shell to be used with sshd.
The latest release 1.31 makes use of shared memory with permissions 666
to maintain 128 slots with one struct for each connection/process.
An unprivileged user can mark mark all remaining slots as occupied (and
optionally wait for remaining clients to leave to block those slots, too).
To demonstrate the issue, I have written a small command line tool.
It's free software and can be found at [2]. Use it like this:
# make
cc -std=c99 -Wall -Wextra -pedantic local-dos.c -o local-dos
# ./local-dos
USAGE:
./local-dos (block|unblock|show)
# watch -n 1 -d ./local-dos block
[..]
Besides the local DoS it might be possible to attack the call to chdir,
since that is reading from shared memory, too.
Any ideas on other attacks based on writing to that block of shared
memory? File /bin/MySecureShell is mode 4755 setuid root if that makes
it more interesting :-)
Best,
Sebastian
[1] http://mysecureshell.sourceforge.net/
[2] https://github.com/hartwork/mysecureshell-issues
Current thread:
- CVE request: mysecureshell: local denial of service (or worse) Sebastian Pipping (Jul 23)
- Re: CVE request: mysecureshell: local denial of service (or worse) Kurt Seifried (Jul 25)
- Re: CVE request: mysecureshell: local denial of service (or worse) Sebastian Pipping (Jul 25)
- Re: CVE request: mysecureshell: local denial of service (or worse) Kurt Seifried (Jul 27)
- Re: CVE request: mysecureshell: local denial of service (or worse) Sebastian Pipping (Jul 25)
- Re: CVE request: mysecureshell: local denial of service (or worse) Kurt Seifried (Jul 25)