Re: CVE request: mysecureshell: local denial of service (or worse)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/25/2013 04:28 AM, Sebastian Pipping wrote:
> Hello Kurt,
>
>
> On 25.07.2013 10:33, Kurt Seifried wrote:
> > On 07/23/2013 11:19 AM, Sebastian Pipping wrote:
> > > mysecureshell [1] is an SFTP-only shell to be used with sshd.
> >
> > > The latest release 1.31 makes use of shared memory with permissions
> > > 666 to maintain 128 slots with one struct for each
> > > connection/process. An unprivileged user can mark mark all
> > > remaining slots as occupied (and optionally wait for remaining
> > > clients to leave to block those slots, too).
> >
> > > To demonstrate the issue, I have written a small command line
> > > tool. It's free software and can be found at [2].  Use it like
> > > this:
> >
> > > # make cc -std=c99 -Wall -Wextra -pedantic local-dos.c -o
> > > local-dos
> >
> > > # ./local-dos USAGE: ./local-dos (block|unblock|show)
> >
> > > # watch -n 1 -d ./local-dos block [..]
> >
> > > Besides the local DoS it might be possible to attack the call to
> > > chdir, since that is reading from shared memory, too.
> >
> > > Any ideas on other attacks based on writing to that block of
> > > shared memory?  File /bin/MySecureShell is mode 4755 setuid root if
> > > that makes it more interesting :-)
> > > [..]
> > > [1] http://mysecureshell.sourceforge.net/
> > > [2] https://github.com/hartwork/mysecureshell-issues
> >
> > To reiterate: so I can confirm CVE assignments, and prevent duplicate
> > assignments you *MUST* provide links to the code commits/vulnerable
> > code. I don't have the time to go hunting through your source code for
> > them. People need to start making better CVE requests, or you're not
> > going to get CVEs from me.
> >
> > I think if I repeat this enough times it'll work.
>
> Upstream tarball
> ================
> http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz
>
>
> Issue
> =====
> Mode 0666 for shared memory, local denial of service
>
>
> Guilty code
> ===========
>
> Online
> ~~~~~~
> http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l73
>
> Inlined  (from SftpServer/SftpWho.c, lines 73 and after)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> //try to join to existing shm
> if ((shmid = shmget(key, sizeof(t_shm), 0)) == -1)
>   if (create == 1)
>     {
>       shmid = shmget(key, sizeof(t_shm), IPC_CREAT | IPC_EXCL | 0666);
>       eraze = 1;
>     }
>
>
> Please let me know if you need anything more.  Thanks for your time!
>
> Best,
>
>
>
> Sebastian

Perfect! Please use CVE-2013-4175 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR82+tAAoJEBYNRVNeJnmTdCQQAJvRAEOpCyo314tT6nbIiMu/
VUk2eHeFsqv5H744x+HjySb8CZVPtZ+dWQnF7LCfeDhWerLrt23OlE6mU7QpJX0b
BiiOviQlkwAxyE2CDaMiZBO8mwRQc4soXlWQZD/qOASVpWrHpYlyFOH49cYwA0pA
46fbqmY6BKmdlSSQRKfNGjr2kuhFccMut2CxoGlLqbf1frELTtWZNstcYLHLVUCx
dXghNVMVbh1Bs4KYbuCogJcyFy6JQHrpmFtAI1tEOqUNsOJJ7EyShMaicPsw05zq
PA/d1GJ9GhdzviEOytfLwNlWqZm+yCnsFvcPEC7pclymDj4honeXb1AyY4FrcILM
FiHCtg4HmnNM464Zki5EGice3lJ6haBWGdm7V1v/lWP2KIC8mKh13XbQUCj2AvBm
Hjl9DShNpo54OI+6B2SSvdBbOBFBSOzb90Ig1i4XbxjaOKxOeB7z2MA14+dHrXCi
3B3vzGFZfIhUYQySmUtwZQYsiPgKHgu7mvrNpB62uaXmBIr6DJTQ6IWGF6yyusp8
uBrCSI6BX8J4nz9AvUmjSZtzTvDlRtXsysmManSKnbZZfndD3AIwVGPqh9qE8YTE
Jqvj/O6hol+yHMd6vCwV5YROtxwJbrbXuGxPLPv2o4YFQ6lizSNMYoLKUUIBBq8E
XhvjwtqGlsg+sXAmn8UZ
=VarJ
-----END PGP SIGNATURE-----