Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: =?iso-8859-1?q?Niels_M=F6ller?= <nisse <at> lysator.liu.se>
Subject: SECURITY: lshd leaks fd:s to user shells
Newsgroups: gmane.network.lsh.bugs
Date: Friday 20th January 2006 16:44:07 UTC (over 11 years ago)
Stefan Pfetzing noticed that lshd leaks a couple of file descriptors,
related to the randomness generator, to user shells which are started
by lshd.

This is a security problem, in at least two ways:

* A user can truncate the server's seed file, which may prevent the
  server from starting.

* By reading the file, a user can get information that may be useful
  for cracking other user's session keys, as well as public keys that
  are generated from the disclosed seed file. (To understand what the
  impact is, one must understand how yarrow generates and uses the
  seed file. My initial analysis is that reading the seed-file is
  advantageous only if it is read just prior to the start of some
  process using the seed for initialization.)

This is a local hole. It provides for fairly easy denial of service by
local users, and with some more effort, maybe also cracking of session
keys.

The below patch, relative to lsh-2.0.1, seems to solve the problem.
After applying the patch, you should remove and then regenerate the
server's seed file (since users may still have open fd:s), and restart
lshd.

I hope to be able to put together a new release sometime next week.
I'll be off-line over the weekend. In the mean time, feel free to
inform other distributors and appropriate security fora about the
problem.

Sorry for the inconvenience,
/Niels

*** unix_random.c.~1.17.~	2004-11-17 22:13:27.000000000 +0100
--- unix_random.c	2006-01-20 14:26:05.000000000 +0100
***************
*** 258,263 ****
--- 258,264 ----
        if (self->device_fd < 0)
  	return 0;

+       io_set_close_on_exec(self->device_fd);
        self->device_last_read = now;
      }

***************
*** 381,386 ****
--- 382,388 ----
  	return NULL;
        }

+     io_set_close_on_exec(self->seed_file_fd);
      trace("random_init, reading seed file...\n");

      if (!read_initial_seed_file(&self->yarrow, self->seed_file_fd))
 
CD: 3ms