remote DoS in sftp via crafted glob expressions (CVE-2010-4755)
Damien Miller
djm at mindrot.org
Tue Mar 8 07:59:43 EST 2011
On Mon, 7 Mar 2011, Vincent Danen wrote:
> * [2011-03-06 09:00:47 +1100] Damien Miller wrote:
>
> > The attack is on the client by a malicious server - a client can't DoS
> > a server with this bug. We generally don't put much effort into making
> > the client resilient to DoS from a hostile server.
>
> I'm confused. Why would this be an attack on the client? The client is
> the one putting the glob (the server isn't pushing this as far as I can
> see). I do see a CPU spike (and blocking on the ability to execute any
> subsequent commands) on the client, but I also see (excessive?) CPU
> usage on the host.
Sorry, I was incorrect above - the attack is purely client end. If there
is additional CPU usage on the server then it is just from the client
issuing more requests.
> Interestingly, subsequent sftp connections to the host, doing the same
> thing do not increase CPU usage significantly.
>
> Is this something you would be interested in disputing with MITRE over
> the CVE assignment?
Feel free to forward this email conversation. I don't understand why they
don't contact the vendor to verify CVEs to begin with.
> I see you also said:
>
> > actually, the CVE description is nonsensical. sftp-server doesn't
> > process globs in requests at all. All glob expansion is done by
> > the client.
> >
> > So a user entering a malicious glob is DoSing their own end of the
> > connection.
>
> Doing further testing, I'm inclined to agree with you. At best this is
> a client DoS, but they are doing it to themselves (but you implied
> malicious server above, so I'm not sure whether this should be
> considered a flaw from a malicious server and the description needs to
> be revised, or if this should be rejected outright since self-inflicted
> issues shouldn't really be considered security flaws).
Here's a simple proof:
[djm at mothra openssh]$ grep -l 'glob[(]' *.c
sftp-glob.c
sftp.c
There are no glob calls in the server, so it can't be vulnerable to
malicious glob patterns.
-d
More information about the openssh-unix-dev
mailing list