SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010208
SecurityTracker URL:  http://securitytracker.com/id/1010208
CVE Reference:   CVE-2004-0396   (Links to External Site)
Updated:  May 19 2004
Original Entry Date:  May 19 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.11.15 and prior versions (stable); 1.12.7 and prior versions (feature)
Description:   A heap overflow vulnerability was reported in Concurrent Versions System (CVS) in the processing of entry lines. A remote user can execute arbitrary code on the target system.

Stefan Esser of e-matters GmbH reported that the overflow occurs when an entry line is processed to determine if the modified and unchanged flags apply. A remote user can reportedly cause the flawed function to be called several times, inserting certain characters into the entry line and overwriting memory.

The vendor was reportedly notified on May 2, 2004.

The original advisory is available at:

http://security.e-matters.de/advisories/072004.html

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the CVS server.
Solution:   The vendor is releasing a fixed version, to be available shortly at:

http://ccvs.cvshome.org/servlets/ProjectDownloadList

Vendor URL:  www.cvshome.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 19 2004 (Red Hat Issues Fix for RH Enterprise Linux) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
May 19 2004 (FreeBSD Issues Fix) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
FreeBSd has released a fix.
May 19 2004 (Debian Issues Fix) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
Debian has released a fix.
May 19 2004 (SuSE Issues Fix) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
SuSE has released a fix.
May 19 2004 (Mandrake Issues Fix) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
Mandrake has released a fix.
May 19 2004 (Fedora Issues Fix for FC1) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
Fedora has released a fix for FC1.
May 20 2004 (Fedora Issues Fix for FC2) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
Fedora has released a fix for FC2.
May 20 2004 (Slackware Issues Fix) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
Slackware has released a fix.
May 20 2004 (Gentoo Issues Fix) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
Gentoo has released a fix.
May 21 2004 (OpenBSD Issues Fix) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
OpenBSD has released a fix.
Jun 3 2004 (NetBSD Issues Fix) CVS Entry Line Heap Overflow Lets Remote Users Execute Arbitrary Code
The vendor has released a fix.



 Source Message Contents

Subject:  http://security.e-matters.de/advisories/072004.html


http://security.e-matters.de/advisories/072004.html

                            e-matters GmbH
                           www.e-matters.de

                       -= Security  Advisory =-



      Advisory: CVS remote vulnerability
  Release Date: 2004/05/19
Last Modified: 2004/05/19
        Author: Stefan Esser [s.esser@e-matters.de]

   Application: CVS feature release <= 1.12.7
                CVS stable release  <= 1.11.15
      Severity: A vulnerability within CVS allows remote compromise of
                CVS servers.
          Risk: Critical
Vendor Status: Vendor is releasing a bugfixed version.
     Reference: http://security.e-matters.de/advisories/072004.html


Overview:

    Concurrent Versions System (CVS) is the dominant open-source version
    control software that allows developers to access the latest code using
    a network connection.

    Stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7
    both contain a flaw when deciding if a CVS entry line should get a
    modified or unchanged flag attached. This results in a heap overflow
    which can be exploited to execute arbitrary code on the CVS server.
    This could allow a repository compromise.


Details:

    While auditing the CVS source a flaw within the handling of modified
    and unchanged flag insertion into entry lines was discovered.

    When the client sends an entry line to the server an additional byte
    is allocated to have enough space for later flagging the entry as
    modified or unchanged. In both cases the check if such a flag is
    already attached is flawed. This allows to insert M or = chars into
    the middle of a user supplied string one by one for every call to
    one of these functions.

    It should be obvious that already the second call could possibly
    overflow the allocated buffer by shifting the part after the
    insertion point one char backward. If the alignment of the block
    is choosen wisely this is already exploitable by malloc() off-by-one
    exploitation techniques. However carefully crafted commands allow
    the functions to be called several times to overwrite even more
    bytes (although this is not really needed if you want to exploit
    this bug on f.e. glibc based systems).


Proof of Concept:

    e-matters is not going to release an exploit for this vulnerability to
    the public.


Disclosure Timeline:

    02. May 2004 - CVS developers and vendor-sec were notified by email
                   Derek Robert Price replied nearly immediately that the
		  issue is fixed
    03. May 2004 - Pre-notification process of important repositories
                   was started
    11. May 2004 - Sourceforge discovered that the patch breaks
                   compatibility with some pserver protocol violating
		  versions of WinCVS/TortoiseCVS
    12. May 2004 - Pre-notified repositories were warned about this
                   problem with a more compatible patch.
    19. May 2004 - Coordinated Public Disclosure


CVE Information:

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2004-0396 to this issue.


Recommendation:

    Recommended is an immediate update to the new version. Additionally you
    should consider running your CVS server chrooted over SSH instead of
    using the :pserver: method. You can find a tutorial how to setup such a
    server at

    http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt


GPG-Key:

    http://security.e-matters.de/gpg_key.asc

    pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
    Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC