remote DoS in sftp via crafted glob expressions (CVE-2010-4755)

Damien Miller djm at mindrot.org
Sun Mar 6 09:04:43 EST 2011


On Fri, 4 Mar 2011, Vincent Danen wrote:

> Hi folks.
> 
> We were made aware of a MITRE CVE assignment on OpenSSH for a remote DoS
> in sftp, described as:
> 
> The (1) remote_glob function in sftp-glob.c and the (2) process_put
> function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3
> and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote
> authenticated users to cause a denial of service (CPU and memory
> consumption) via crafted glob expressions that do not match any
> pathnames, as demonstrated by glob expressions in SSH_FXP_STAT
> requests to an sftp daemon, a different vulnerability than
> CVE-2010-2632.

actually, the CVE description is nonsensical. sftp-server doesn't
process globs in requests at all. All glob expansion is done by
the client.

So a user entering a malicious glob is DoSing their own end of the
connection.

-d


More information about the openssh-unix-dev mailing list