Re: CVE request: mysecureshell: local denial of service (or worse)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/23/2013 11:19 AM, Sebastian Pipping wrote:
> Hello everyone,
>
>
> mysecureshell [1] is an SFTP-only shell to be used with sshd.
>
> The latest release 1.31 makes use of shared memory with permissions
> 666 to maintain 128 slots with one struct for each
> connection/process. An unprivileged user can mark mark all
> remaining slots as occupied (and optionally wait for remaining
> clients to leave to block those slots, too).
>
> To demonstrate the issue, I have written a small command line
> tool. It's free software and can be found at [2].  Use it like
> this:
>
> # make cc -std=c99 -Wall -Wextra -pedantic local-dos.c -o
> local-dos
>
> # ./local-dos USAGE: ./local-dos (block|unblock|show)
>
> # watch -n 1 -d ./local-dos block [..]
>
> Besides the local DoS it might be possible to attack the call to
> chdir, since that is reading from shared memory, too.
>
> Any ideas on other attacks based on writing to that block of
> shared memory?  File /bin/MySecureShell is mode 4755 setuid root if
> that makes it more interesting :-)
>
> Best,
>
>
>
> Sebastian
>
>
> [1] http://mysecureshell.sourceforge.net/ [2]
> https://github.com/hartwork/mysecureshell-issues

To reiterate: so I can confirm CVE assignments, and prevent duplicate
assignments you *MUST* provide links to the code commits/vulnerable
code. I don't have the time to go hunting through your source code for
them. People need to start making better CVE requests, or you're not
going to get CVEs from me.

I think if I repeat this enough times it'll work.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR8OLUAAoJEBYNRVNeJnmTbEsP/jqO2hynx95cxjzC6DKkLubI
t95HqOOTAdqeb9Ek3D/xHgQylvTF8tPqGc77awkLvmao17wNykBDEoS/GvvSnmMj
z1UjuuPLW2jrrRnsfPbOl33XXde/3uMcTejx1feY1PvWOADM/rElvDob7+9tXnUI
CFivq/ibMqTjKdA7uOMMkSTZ96w0oIXVnAbPUm4u2vc6imY8CEMGhXwNrlm+7jwa
hykaJjpnTvXScfqcpORcEJGNRojrnCa9LhVid9hOkvDaSiuB7zVgYgyqkc0tLGXa
+zkEXKcrWlC4OuuRvCFZ2UvkBmK46OTkNyAmaRhxji2/PezRAqCThH0gPZk69LQb
7YmonMCOJtqXVV6DtJ4G3dIg3i/VZvgpQC6IoaH2VKKYK9I5ThTYPApRclWXLPJ7
bZnpe2MgeGfbOVRB6/ydozEuPK+9CgSzWl2ShLuRQfbFyV/3I4jIpMJKINULMTbx
CTtVHpN4G6VhK+5A97mJMYBSKxFbqPOm/tF2RNSDaMpF285oMLnPs8Rq5EU4NLwj
3awuvmSu0UmDoAv/Pw/n+pPxWjgG45coGOICujaIQdh4iOoHcMM010P8JSxPaLZ7
uPaG7SSdkiCK22RhS3MGX+T+qiF1jXRSEcZB/g6kHVh/FSApzmmfuSRlR1uzompH
hmNA9OuY7vOtfqBgQ/dB
=kgXF
-----END PGP SIGNATURE-----