Advisory 01/2003: CVS remote vulnerability

Klaus-Peter Schrage kpschrage
Mon May 17 11:43:21 PDT 2004 

For a fix on Redhat systems, look here:
http://rhn.redhat.com/errata/RHSA-2003-012.html
Klaus


Stefan Esser (by way of Douglas J Hunley ) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>                            e-matters GmbH
>                           www.e-matters.de
> 
>                       -= Security  Advisory =-
> 
> 
> 
>      Advisory: CVS remote vulnerability
>  Release Date: 2003/01/20
> Last Modified: 2003/01/20
>        Author: Stefan Esser [s.esser at e-matters.de]
> 
>   Application: CVS <= 1.11.4
>      Severity: A vulnerability within CVS allows remote compromise of
>                CVS servers.
>          Risk: Critical
> Vendor Status: Vendor has released a bugfixed version.
>     Reference: http://security.e-matters.de/advisories/012003.html
> 
> 
> Overview:
> 
>    Concurrent Versions System (CVS) is the dominant open-source version
>    control software that allows developers to access the latest code using
>    a network connection. CVS version 1.11.4 and below contain a flaw that
>    can be used by a remote attacker to execute arbitrary code on the server.
> 
>    You should also note, that the CVS client/server protocol includes two
>    commands (Update-prog and Checkin-prog) that can be used by any CVS user
>    with write access to the repository to execute arbitrary shell commands
>    on the server. This is a questionable feature, because it is very badly
>    documented, is unknown to most CVS administrators and cannot be turned
>    off within the configuration files.
> 
> 
> Details:
> 
>    While auditing the CVS sourcetree I found a flaw within the handling of
>    the Directory request within the server code. By sending a malformed
>    directory name it is possible to trigger an error condition that will
>    make the function return at a point where a global pointer variable is
>    already freed and has not got a new value assigned yet. This will result
>    in a classical double-free() when the next Directory request is handled.
>    With the help of other CVS requests it is possible to either leak some
>    information that could be used to determine the heap position or to
>    execute arbitrary code on systems that are known to be vulnerable to
>    this kind of bugs. This includes Linux, Solaris and most probably Windows
>    systems.
> 
>    Additionally I was able to create proof of concept code that uses this
>    vulnerability to execute arbitrary shell commands on BSD servers. I was
>    able to achieve this because all allocated memory is aligned on BSD
>    systems which makes it very easy to get newly allocated memory blocks
>    into the same position of already freed blocks of the same slotsize.
>    In combination with some CVS requests that work on lists of pointers,
>    I was able to use this bug to free arbitrary memory addresses. With the
>    help of the information leak capabilities of this vulnerability it is
>    possible to guess the address of some strings that are needed for the
>    read/write access checks. Combined this allowes to bypass the write
>    access checks and to abuse the Update-prog/Checkin-prog requests to
>    execute arbitrary commands on the server with an anonymous read-only
>    account.
> 
>    The impact of this vulnerability depends highly on the configuration of
>    the server. The CVS server is by default started via inetd with root
>    privileges. If CVSROOT/passwd is left writeable to the CVS user this means
>    a remote root compromise. You must also consider that chrooting the CVS
>    daemon may protect the rest of your system against the intruder but will
>    still leave the whole source tree vulnerable to the attacker.
> 
>    Summarized this means that this vulnerability is a threat to most open
>    source projects because nearly all of them offer anonymous CVS access to
>    the source tree. Even if the attacker is not able to extend his attack
>    on the developer CVS server (if it is seperated at all) he could still
>    backdoor everything other people download from the anonymous server.
> 
> 
> Proof of Concept:
> 
>    e-matters is not going to release an exploit for this vulnerability to
>    the public.
> 
> 
> Disclosure Timeline:
> 
>    04. January 2003 - Vendor was notified via email. Unfourtunately the
>                       person that I tried to contact was on vacation, so I
>                       received no answer.
>    12. January 2003 - The vulnerability was disclosed to the admins of
>  several big public CVS repositories and to some distributors. 15. January
>  2003 - Vendor has committed the fix to the CVS CVS repository. 16. January
>  2003 - Vendor-sec was notified that a new bugfixed CVS version will be
>  released on 20th January.
>    20. January 2003 - Vendor has released a new version which fixes the
>  double free problem. You can download it at:
>                       http://ccvs.cvshome.org/servlets/ProjectDownloadList
> 
> 
> CVE Information:
> 
>    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
>    assigned the name CAN-2003-0015 to this issue.
> 
> 
> Recommendation:
> 
>    My recommendation is to immediantly update to the new version. You may
>  also consider applying my patch which adds the ability to turn off
>  Update-prog and Checkin-prog within your configuration files. You can
>  download it from
> 
>    http://security.e-matters.de/patches/cvs_disablexprog.diff
> 
>    You should also consider running your CVS server chrooted over SSH instead
>    of using the :pserver: method. You can find a tutorial how to setup such a
>    server at
> 
>    http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt
> 
> 
> GPG-Key:
> 
>    http://security.e-matters.de/gpg_key.asc
> 
>    pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
>    Key fingerprint = 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6
> 
> 
> Copyright 2003 Stefan Esser. All rights reserved.
> 
> - --
> 
> - --------------------------------------------------------------------------
>  Stefan Esser                                        s.esser at e-matters.de
>  e-matters Security                         http://security.e-matters.de/
> 
>  GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69
>  Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
> - --------------------------------------------------------------------------
>  Did I help you? Consider a gift:            http://wishlist.suspekt.org/
> - --------------------------------------------------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE+LzxW2MO5UukaubkRAqcwAJ4wI0zFUSfAHTL/APcb+jv1dxrJbQCfbzlX
> B59spaEbgW/M4YIoWWsX+s4=
> =pSri
> -----END PGP SIGNATURE-----
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Linux-users mailing list
> Linux-users at linux-sxs.org
> Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users

More information about the Linux-users mailing list