SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1005951
SecurityTracker URL:  http://securitytracker.com/id/1005951
CVE Reference:   CVE-2003-0015   (Links to External Site)
Date:  Jan 20 2003
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.11.4 and prior versions
Description:   A vulnerability was reported in Concurrent Versions System (CVS). A remote user can execute arbitrary code on the system to gain access to the server.

e-matters reported that a remote user can send a malformed directory name as part of a Directory request to cause a global pointer variable to be freed with no value subsequently assigned to the variable. When the next Directory request is processed, the unassigned variable may be freed.

A remote user can exploit this to execute arbitrary code or shell commands. The privileges that the code will execute with depend on the configuration of the server. In some cases, the code may run with root privileges. According to the report, if the CVSROOT/passwd is left writeable to the CVS user, a remote root compromise can occur.

It is also reported that a remote authenticated user with write access can invoke the Update-prog and Checkin-prog commands to execute arbitrary shell commands on the server. According to the report, this feature is not well documented and may be unknown to most administrators. In addition, it reportedly cannot be disabled in the configuration files.

Impact:   A remote user may be able to execute arbitrary code on the system. The code will run with privileges that depend on the configuration of the system.
Solution:   The vendor has released a fixed version (1.11.5), available at:

http://ccvs.cvshome.org/servlets/ProjectDownloadList
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&dlID=234

Vendor URL:  ccvs.cvshome.org/servlets/NewsItemView?newsID=51 (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
Red Hat has released a fix.
(Mandrake Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
Mandrake has released a fix.
(OpenBSD Issues Fix) Re: Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
OpenBSD has issued a patch.
(Debian Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
Debian has released a fix.
(Slackware Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
Slackware has released a fix.
(SuSE Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
SuSE has released a fix.
(Conectiva Issues Revised Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
Conectiva has released a revised fix.
(Immunix Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
Immunix has released a fix.



 Source Message Contents

Subject:  [VulnWatch] Advisory 01/2003: CVS remote vulnerability


--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

                           e-matters GmbH
                          www.e-matters.de

                      -=3D Security  Advisory =3D-



     Advisory: CVS remote vulnerability
 Release Date: 2003/01/20
Last Modified: 2003/01/20
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: CVS <=3D 1.11.4
     Severity: A vulnerability within CVS allows remote compromise of
               CVS servers.
         Risk: Critical
Vendor Status: Vendor has released a bugfixed version.
    Reference: http://security.e-matters.de/advisories/012003.html


Overview:

   Concurrent Versions System (CVS) is the dominant open-source version=20
   control software that allows developers to access the latest code using
   a network connection. CVS version 1.11.4 and below contain a flaw that
   can be used by a remote attacker to execute arbitrary code on the server.
     =20
   You should also note, that the CVS client/server protocol includes two=
=20
   commands (Update-prog and Checkin-prog) that can be used by any CVS user
   with write access to the repository to execute arbitrary shell commands
   on the server. This is a questionable feature, because it is very badly
   documented, is unknown to most CVS administrators and cannot be turned
   off within the configuration files.
  =20
  =20
Details:
  =20
   While auditing the CVS sourcetree I found a flaw within the handling of
   the Directory request within the server code. By sending a malformed=20
   directory name it is possible to trigger an error condition that will=20
   make the function return at a point where a global pointer variable is=
=20
   already freed and has not got a new value assigned yet. This will result
   in a classical double-free() when the next Directory request is handled.
   With the help of other CVS requests it is possible to either leak some
   information that could be used to determine the heap position or to
   execute arbitrary code on systems that are known to be vulnerable to
   this kind of bugs. This includes Linux, Solaris and most probably Windows
   systems.=20
  =20
   Additionally I was able to create proof of concept code that uses this
   vulnerability to execute arbitrary shell commands on BSD servers. I was
   able to achieve this because all allocated memory is aligned on BSD=20
   systems which makes it very easy to get newly allocated memory blocks=20
   into the same position of already freed blocks of the same slotsize.
   In combination with some CVS requests that work on lists of pointers,
   I was able to use this bug to free arbitrary memory addresses. With the
   help of the information leak capabilities of this vulnerability it is=20
   possible to guess the address of some strings that are needed for the=20
   read/write access checks. Combined this allowes to bypass the write=20
   access checks and to abuse the Update-prog/Checkin-prog requests to=20
   execute arbitrary commands on the server with an anonymous read-only
   account.
  =20
   The impact of this vulnerability depends highly on the configuration of
   the server. The CVS server is by default started via inetd with root=20
   privileges. If CVSROOT/passwd is left writeable to the CVS user this mea=
ns
   a remote root compromise. You must also consider that chrooting the CVS
   daemon may protect the rest of your system against the intruder but will
   still leave the whole source tree vulnerable to the attacker.=20

   Summarized this means that this vulnerability is a threat to most open
   source projects because nearly all of them offer anonymous CVS access to
   the source tree. Even if the attacker is not able to extend his attack
   on the developer CVS server (if it is seperated at all) he could still
   backdoor everything other people download from the anonymous server.


Proof of Concept:

   e-matters is not going to release an exploit for this vulnerability to
   the public.
  =20

Disclosure Timeline:

   04. January 2003 - Vendor was notified via email. Unfourtunately the
                      person that I tried to contact was on vacation, so I
                      received no answer.
   12. January 2003 - The vulnerability was disclosed to the admins of seve=
ral
                      big public CVS repositories and to some distributors.
   15. January 2003 - Vendor has committed the fix to the CVS CVS repositor=
y.
   16. January 2003 - Vendor-sec was notified that a new bugfixed CVS versi=
on
                      will be released on 20th January.
   20. January 2003 - Vendor has released a new version which fixes the dou=
ble
                      free problem. You can download it at:
                      http://ccvs.cvshome.org/servlets/ProjectDownloadList

  =20
CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2003-0015 to this issue.


Recommendation:

   My recommendation is to immediantly update to the new version. You may a=
lso
   consider applying my patch which adds the ability to turn off Update-prog
   and Checkin-prog within your configuration files. You can download it fr=
om
  =20
   http://security.e-matters.de/patches/cvs_disablexprog.diff
  =20
   You should also consider running your CVS server chrooted over SSH inste=
ad
   of using the :pserver: method. You can find a tutorial how to setup such=
 a
   server at
  =20
   http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt
  =20
  =20
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
   =20
   pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
   Key fingerprint =3D 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6


Copyright 2003 Stefan Esser. All rights reserved.

--=20

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@e-matters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69=
=20
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------


--DocE+STaALJfprDB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE+LGlB1rB3BM9srmkRAjHwAKCsSO+FukVQkInTIvu9xdYBLcXnPwCgiozi
cHwpG5tHoyuZYkXNNj8M94c=
=Ofkz
-----END PGP SIGNATURE-----

--DocE+STaALJfprDB--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC