TrouSerS / Bugs / #152 [CVE-2012-0698] DoS against tcsd

#152 [CVE-2012-0698] DoS against tcsd

Milestone: Bug

Status: closed-fixed

Owner: Kent Yoder

Labels: TCS Daemon (25)

Priority: 5

Updated: 2012-09-25

Created: 2012-01-13

Creator: Andy Lutomirski

Private: No

The attached python script will cause tcsd to segfault.

In general, there is a lot of input validation missing all over trousers.

If this isn't fixed soon, I'll probably disclose it somewhere else, too. In the mean time, I will notify some distros.

Discussion

Andy Lutomirski - 2012-01-13

Exploit

crash_tcsd.py

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Andy Lutomirski - 2012-01-13

I think that at least UnloadBlob_PCR_EVENT has a similar remotely exploitable bug.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Andy Lutomirski - 2012-01-14

This is CVE-2012-0698

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Andy Lutomirski - 2012-01-14

summary: DoS against tcsd --> [CVE-2012-0698] DoS against tcsd
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Rajiv Andrade - 2012-01-16

Fix is on its way.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Rajiv Andrade - 2012-01-17

This commit solves the reported issue:

http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=50dd06a6f639b76b3bb629606ef71b2dc5407601

I'll leave it open for now awaiting internal review and reporter's acknowledgment.

Thanks

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Rajiv Andrade - 2012-01-17

By the way, none of these are 'exploitable', since the daemon runs unprivileged.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Andy Lutomirski - 2012-04-24

I may play around and see if I can still easily exploit it. I find this code to be rather scary.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kent Yoder - 2012-09-25

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kent Yoder - 2012-09-25

Hi Andy, I'd be interested to hear of any more exploits you've found. Try 0.3.10, I've added a bit of hardening to it over 0.3.9. For now I'll close this bug but if you find anything please do reopen it.

Kent

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.