SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
Concurrent Versions System (CVS) Off-by-one Buffer Overflow May Let Local Users Execute Arbitrary Code to Gain Elevated Privileges
SecurityTracker Alert ID:  1004376
SecurityTracker URL:  http://securitytracker.com/id/1004376
CVE Reference:   CVE-2002-0844   (Links to External Site)
Updated:  Jan 14 2004
Original Entry Date:  May 25 2002
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 1.11
Description:   A buffer overflow vulnerability has been reported in the Concurrent Versions System (CVS) daemon. A local user may be able to execute arbitrary code with the privileges of the CVS process.

The flaw reportedly resides in the 'cvs-1.11/src/rcs.c' file, where a sscanf() call is made specifying that 16 bytes should be read from the 'info->data' variable into a 15 byte (plus NULL) variable 'devtype[16]'. The 'info->data' variable is apparently based on the contents of a symlinked file on the local system. A local user could create a special value for the contents of this file to trigger the CVS buffer overflow and execute arbitrary code.

Impact:   A local user could cause the CVS server to execute arbitrary code with the privileges of the CVS daemon.
Solution:   No official solution was available at the time of this entry.

The author of the report has provided an unofficial patch (see the Source Message for the patch).

Vendor URL:  www.gnu.org/software/cvs/cvs.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: Concurrent Versions System (CVS) Off-by-one Buffer Overflow May Let Local Users Execute Arbitrary Code to Gain Elevated Privileges
The vendor has issued a fix.
(Caldera Issues Fix for OpenLinux) Concurrent Versions System (CVS) Off-by-one Buffer Overflow May Let Local Users Execute Arbitrary Code to Gain Elevated Privileges
Caldera has released a fix for OpenLinux.
Jan 14 2004 (Red Hat Issues Fix for RH Enterprise Linux) Concurrent Versions System (CVS) Off-by-one Buffer Overflow May Let Local Users Execute Arbitrary Code to Gain Elevated Privileges
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.



 Source Message Contents

Subject:  [DER ADV#8] - Local off by one in CVSD


Local off by one overflow in CVSD.

intro:
the family of scanf functions (scanf, sscanf, fscanf) are generally insecure 
in usage and steps have been taken to make them more...secure you might say 
like adding bounds checking (sscanf(hey, "%.4096s %d", buffer, int)) but the 
function still remains quite insecure, to a lesser known bug like an off by 
one.

WRONG:
char buf[10];
int i;
sscanf(hey, "%.10s", buf); <-- boundary checks ten bytes...

RIGHT:
char buf[10];
int i;
sscanf(hey, "%.9s" buf); <-- see!

therefore in the first example (WRONG) the last byte into buf will exeed the 
allocated space (10 bytes) by one byte. woops. 
(http://www.hert.org/papers/klog-1.html <-- nice article)

details:

in cvs-1.11/src/rcs.c:
info = findnode (vers->other_delta, "special");
	if (info != NULL)
	{
	    /* If the size of `devtype' changes, fix the sscanf call also */
	    char devtype[16]; <-- SIXTEEN BYTES

	    if (sscanf (info->data, "%16s %lu", <-- WOOPS SHOULD BE 15
			devtype, &devnum_long) < 2)
		error (1, 0, "%s:%s has bad `special' newphrase %s",
		       workfile, vers->version, info->data);
	    devnum = devnum_long;
	    if (STREQ (devtype, "character"))
		special_file = S_IFCHR;
	    else if (STREQ (devtype, "block"))
		special_file = S_IFBLK;
	    else
		error (0, 0, "%s is a special file of unsupported type `%s'",
		       workfile, info->data);
	}
    }

this is only a locally exploitable hole since the data is read from 
info->data which in turn is from a symlinked local file (heh, you know where 
to find it);

we at der sys have created the following patch:

__END_OF_PATCH;

##########################
#DER PATCH FOR CVS < 1.11#
##########################

--- rcs_old.c	Mon Jan 25 02:05:16 2002
+++ rcs.c	Mon Jan 25 02:05:40 2002

--- 4238:       if (sscanf (info->data, "%16s %lu",
+++ 4238:       if (sscanf (info->data, "%.15s %lu",
		devtype, &devnum_long) < 2)
		error (1, 0, "%s:%s has bad `special' newphrase %s",
		workfile, vers->version, info->data);

__END_OF_PATCH;

vendor notification: nope.


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC