Re: CVE request: mysecureshell: information disclosure (or worse)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/25/2013 03:44 AM, Sebastian Pipping wrote:
> Hello Kurt,
>
>
> On 25.07.2013 10:33, Kurt Seifried wrote:
> > On 07/23/2013 11:17 AM, Sebastian Pipping wrote:
> > > mysecureshell [1] is an SFTP-only shell to be used with sshd.
> >
> > > The latest release 1.31 makes use of shared memory to maintain
> > > 128 slots with one struct for each connection/process. Access
> > > to that block of shared memory is not (or not properly)
> > > synchronized, so two or more processes might end up occupying
> > > the very same slot when process scheduling wants that to
> > > happen.  The effective permissions of the process remain
> > > untouched, though.  So it's logging in as someone else and it
> > > isn't.
> > >
> > > The relevant code from SftpServer/SftpWho.c (lines 106 and
> > > after) is:
> > >
> > > [cut out, same code below]
> > >
> > > The symptoms of this bug have been reported earlier at [2] by
> > > forum user "voleg".  To my best knowledge, there is no CVE
> > > number assigned yet. [..] [1]
> > > http://mysecureshell.sourceforge.net/ [2]
> > > http://mysecureshell.free.fr/forum/viewtopic.php?id=655
> >
> >
> > To reiterate: so I can confirm CVE assignments, and prevent
> > duplicate assignments you *MUST* provide links to the code
> > commits/vulnerable code. I don't have the time to go hunting
> > through your source code for them. People need to start making
> > better CVE requests, or you're not going to get CVEs from me.
>
> Upstream tarball ================ 
> http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz
>
>
>
> Issue ===== Race condition, lack of synchronization, user may end
> up in another directory.
>
>
> Guilty code ===========
>
> Online ~~~~~~ 
> http://mysecureshell.cvs.sourceforge.net/viewvc/mysecureshell/mysecureshell/SftpServer/SftpWho.c?revision=1.3&view=markup#l107
>
>  Inlined  (from SftpServer/SftpWho.c, lines 107 and after) 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ for (i =
> 0; i < SFTPWHO_MAXCLIENT; i++) if (who[i].status == SFTPWHO_EMPTY) 
> { (void) usleep(100); if (who[i].status == SFTPWHO_EMPTY) { //clean
> all old infos memset(&who[i], 0, sizeof(*who)); //marked structure
> as occuped who[i].status = SFTPWHO_IDLE; return (&who[i]); } }
>
>
> Please let me know if you need anything more.  Thanks for your
> time!
>
> Best,
>
>
>
> Sebastian

Perfect! Please use CVE-2013-4176 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR82+/AAoJEBYNRVNeJnmThkMP/jWgKyNVGCxwpmRDg5SRVcl6
J1kxIYH3CZeANoy7HWqaABq4S+qLTImsfT/6/THUPEUqnN4sEzOKabwp0EDdt7xR
R6nCEgo9Nsju5dHwe5dpJJDS3vWw5pu/KdLtTZ5ynmIvhsgW6Cu7vFMbOkOH5qgL
3jUtilE2bZPoC/ifY7RljgO0OL2IvYqYP80du+iLBPMWLKxr376Smhdd6uvXxHAC
U/tExCZs6LWJkH+1VPP7dywEBN95PY7XdEbKyBKAYtGiu+GH0mR1KtsbthGYio6U
xZn5xZdDH8HBUkVeZLAknFUnNpdKYqOeVXieXhXDg6STFNDRsRKcx6iqRY+FlSwd
YBRhnNcVS8Bsc3HeK1RIxX6rOQkM7e7cUlkJVUm4+zhm9xb31LOiy1hEi8yXbNTb
Exu30w0yxWCEdiyLiy45jGlBBQXEQMC3PkGBdcx8Fla2cthI0Pa+OWUOluYvCurV
oJGSf5bQsEVlL8ZU2zoyEt1OKb1zMoyEtgMFxwFNnCAvwcLZHlq1J4bh1I8wMMNs
Je3Es+xNVa2BAF1VuYvGcxbGLR4HYoS3krOB15wmHWydekH0DeLqSFQBARc/vGjE
eUj2fjTVZuQR3smund8XdpYKejxeO00CifJA0R8t+YlmRTP+ouDgKzrddLrmAOPS
bMNGh6fOM8PtCqo8N8Is
=yM09
-----END PGP SIGNATURE-----