Topic: Bug discovered

# /bin/MySecureShell.1.31 --version
MySecureShell is version 1.31 build on Feb 24 2013

Options:
  ACL support: yes
  UTF-8 support: yes

Sftp Extensions:
  Disk Usage
  Disk Usage (OpenSSH)
  File Hashing
# cat /etc/issue
Red Hat Enterprise Linux Server release 5.9 (Tikanga)

Relevant data from /var/log/sftp-server.log:
2013-04-25 17:00:28 [25227]New client [userone] from [192.168.1.171]
2013-04-25 17:00:29 [25227][userone][192.168.1.171]Start download file '/CURR/89148580_20130424_143542.pdf'
2013-04-25 17:00:29 [25227][userone][192.168.1.171]End download file '/CURR/89148580_20130424_143542.pdf' : 100%
....
2013-04-25 17:00:37 [25227][userone][192.168.1.171]Start download file '/CURR/89151035_20130424_151219.pdf'
2013-04-25 17:00:37 [25292]New client [anotheruser] from [192.168.5.42]
2013-04-25 17:00:37 [25227][userone][192.168.1.171]End download file '/CURR/89151035_20130424_151219.pdf' : 100%
2013-04-25 17:00:38 [25227][userone][192.168.1.171]Start download file '/CURR/89151147_20130424_151346.pdf'
2013-04-25 17:00:38 [25227][userone][192.168.1.171]End download file '/CURR/89151147_20130424_151346.pdf' : 100%
2013-04-25 17:00:38 [25227][userone][192.168.1.171]Start download file '/CURR/89151228_20130424_151503.pdf'
2013-04-25 17:00:38 [25292][anotheruser][192.168.5.42]Try to remove file '/CURR/SYSTEM_ITEMS.xml' : success
2013-04-25 17:00:38 [25227][userone][192.168.1.171]End download file '/CURR/89151228_20130424_151503.pdf' : 100%
2013-04-25 17:00:38 [25292][anotheruser][192.168.5.42]Start upload into file '/CURR/SYSTEM_ITEMS.xml'
2013-04-25 17:00:38 [25227][userone][192.168.1.171]Start download file '/CURR/89151374_20130424_151709.pdf'
2013-04-25 17:00:39 [25227][anotheruser][192.168.5.42]End download file '/CURR/89151374_20130424_151709.pdf' : 100%
2013-04-25 17:00:39 [25292][anotheruser][192.168.5.42]End upload into file '/CURR/SYSTEM_ITEMS.xml'
2013-04-25 17:00:40 [25292][anotheruser][192.168.5.42]Quit.
2013-04-25 17:00:40 [25227][anotheruser][192.168.5.42]Quit.


Pay attention how user "anotheruser" with PID 25292 hijacking session of "userone" with PID 25227.
Bug reproducible. Give "mget *" for userone for a lot of (not so big) files. Bomb with various small transactions with anotheruser.

trace -feopen  for /bin/MySecureshell of userone show how user home (jail) switching from userone to anotheruser , therefore rest of mget failed with no such file.

Anyway, great software with no alternatives.

2 (edited by teka 2013-04-30 09:51:19)

Re: Bug discovered

Hi,


Okay, i understand the problem !

Thank you for the report smile

Edit: ok the bug only permit to stole the "Home" of user, but file rights are still restrictive smile

Re: Bug discovered

> Edit: ok the bug only permit to stole the "Home" of user, but file rights are still restrictive

Do you mean that switching user in sftp-server.log does not mean real switch user, but only $HOME substitution ?
I was sure that whole session hijacked and otheruser got rights on userone content.

Anyway, bug is very serious and cause batches fail with "no such file".

--
Oleg.

Re: Bug discovered

Yep, MySecureShell work as shell, so we have 1 process by ssh connection.

It's a big bug since "user1" can be in the home of "user2", but "user1" keep is rights smile

So effects are:

  • see other user path

  • corrupt other user path

  • "corrupt" file sftp-server.log

Re: Bug discovered

Has there been a fix issued for this? 1.31?

Thanks

Re: Bug discovered

MySecureShell v1.32 should fixe this issue... but at this time there is no release date sad

Re: Bug discovered

Any updates on a fix?

Re: Bug discovered

No yet sad

9 (edited by sping 2013-07-24 13:15:46)

Re: Bug discovered

The problem is lack of synchronisation with access to the shared memory. The current code

for (i = 0; i < SFTPWHO_MAXCLIENT; i++)
    if (who[i].status == SFTPWHO_EMPTY)
    {
        (void) usleep(100);
        if (who[i].status == SFTPWHO_EMPTY)
        {
            //clean all old infos
            memset(&who[i], 0, sizeof(*who));
            //marked structure as occuped 
            who[i].status = SFTPWHO_IDLE;
            return (&who[i]);
        }
    }

has a race condition that allows two processes to occopy the same slot.

pthread mutexes with attribute PTHREAD_PROCESS_SHARED do not seem to work in case of mysecureshell, since its mysecureshell processes are not related. POSIX semaphores using sem_open(3) may work.


For users not depending on mysecureshell features like bandwidth limitation, this patch removing use of shared memory might be an acceptable fix for the moment.

Re: Bug discovered

PS: If anyone would want to make a Debian package for a version not using shared memory that would be:

sudo apt-get install devscripts build-essential debhelper libacl1-dev libssl-dev fakeroot
wget http://mysecureshell.free.fr/repository/index.php/debian/pool/main/m/mysecureshell/mysecureshell_1.31.tar.gz
wget http://www.hartwork.org/public/mysecureshell-1.31-no-shared-memory.patch
tar xf mysecureshell_1.31.tar.gz
 
cd mysecureshell-1.31/
patch -p1 < ../mysecureshell-1.31-no-shared-memory.patch
dch -v 1.31+noshm 'Apply patch to stop using shared memory'
 
debuild -us -uc
sudo dpkg -i ../mysecureshell_1.31+noshm_amd64.deb

Re: Bug discovered

Ok but your patch break "sftp-who" binary sad

Re: Bug discovered

Yes, it breaks that and more. I'm fully aware you don't want to apply that patch to CVS. But it might work for some users that can make the trade-off for instant security.

Re: Bug discovered

For your information, the security community has assigned identifier CVE-2013-4176 to this issue on the oss-security mailing list (thread 10678) in the mean time.

Re: Bug discovered

Ok smile