Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <alpine.DEB.2.00.1205221444120.22824@dr-wily.mit.edu>
Date: Tue, 22 May 2012 15:29:17 -0400 (EDT)
From: Keith Winstein <keithw@....EDU>
To: jlieskov@...hat.com
cc: Keith Winstein <keithw@....edu>, mosh-devel@....edu,
        oss-security@...ts.openwall.com
Subject: Re: CVE Request -- mosh (and probably vte too): mosh server DoS
 (long loop) due improper parsing of terminal parameters in terminal
 dispatcher

Hello,

I am the author of Mosh, and somebody pointed me to your CVE request: 
http://seclists.org/oss-sec/2012/q2/370

I have not been part of this process before -- do we (the upstream) have a 
role here?

I don't want to butt in inappropriately, but I also don't want it to seem 
(by our silence) like we agree with the description in the CVE request.

The writeup is not accurate. We're grateful for the bug report by Timo 
Juhani Lindfors, but to say "issue confirmed by mosh upstream" makes it 
sound like we confirm _this_ issue.

We have written about this issue in the URL linked from the request: 
https://github.com/keithw/mosh/issues/271

In general, the application sending ANSI escape sequences is a trusted 
party. It is allowed to do things like disable the user's keyboard by 
sending "\e[2h", which is interpreted by xterm and Terminal.app.

That's a DoS as well, but (like this one) it's not really a security 
vulnerability. Because ANSI escape sequences can do arbitrary things to 
the user's terminal, programs that allow untrusted user-to-user 
communication (including write(1), wall(1), and e-mail and newsgroup 
readers) need to filter these out.

Here's my suggested text for the issue description:

===
Mosh versions 1.2 and earlier allow an application to cause the 
mosh-server to consume large amounts of CPU time with a short ANSI escape 
sequence. In addition, a malicious mosh-server can cause the mosh-client 
to consume large amounts of CPU time with a short ANSI escape sequence. 
This arises because there was no limit on the value of the "repeat" 
parameter in some ANSI escape sequences, so even large and nonsensical 
values would be interpreted by Mosh's terminal emulator.
===

This gets away from the suggestion that the problem relates to "improper 
parsing" or the "count of parameters" (it's about wanting a limit on the 
_value_ of parameters so the terminal emulator doesn't do huge amounts of 
work to execute a very short sequence), or to data coming from "a remote 
attacker."

Best regards,
Keith

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.