SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010438
SecurityTracker URL:  http://securitytracker.com/id/1010438
CVE Reference:   CVE-2004-0414, CVE-2004-0416, CVE-2004-0417, CVE-2004-0418   (Links to External Site)
Date:  Jun 9 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): stable release 1.11.16 and prior versions; feature release 1.12.8 and prior versions
Description:   Several vulnerabilities were reported in CVS. A remote user can execute arbitrary code on the target system.

Stefan Esser of e-matters reported that an audit performed by e-matters and by Sebastian Krahmer from SuSE has uncovered several flaws.

The report also indicated that Derek Robert Price discovered a null-termination issue regarding "Entry" lines [CVE: CVE-2004-0414] that was introduced by a previous CVS security patch. A remote user can execute arbitrary code on the target system.

It is reported that the error_prog_name() function contains a double-free bug [CVE: CVE-2004-0416]. A remote user can invoke the 'Argumentx' command on an empty list to trigger the flaw and potentially execute arbitrary code.

It is also reported that the serve_notify() function does not properly process empty data lines [CVE: CVE-2004-0418]. A remote user can reportedly supply an empty data line to cause a buffer boundary error and possibly write a single byte outside of the buffer. Arbitrary code execution may be possible, the report said.

It is also reported that there are a variety of integer multiplication overflows [CVE: CVE-2004-0417].

Several other bugs were reported that can only be triggered by an authenticated user with CVSROOT commit access.

It is also reported that there is an integer overflow in serve_max_dotdot() that may allow a remote user to crash a forked CVS process. This may cause data to remain in the temporary file directory. On non-partitioned servers, a remote user may be able to consume all available disk space.

The vendor was reportedly notified on May 27, 2004.

The original advisory is available at:

http://security.e-matters.de/advisories/092004.txt

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause CVS to crash.

Solution:   The vendor has issued a fix, available via CVS. Updated release versions were not available at the time of this entry, but should be available shortly at:

https://ccvs.cvshome.org/servlets/ProjectDocumentList

Vendor URL:  www.cvshome.org/ (Links to External Site)
Cause:   Boundary error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 9 2004 (Red Hat Issues Fix for RH Enteprise Linux) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Jun 9 2004 (SuSE Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
SuSE has released a fix.
Jun 10 2004 (Mandrake Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Jun 10 2004 (OpenBSD Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
OpenBSD has released a fix.
Jun 10 2004 (Slackware Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
Slackware has released a fix.
Jun 10 2004 (Debian Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
Debian has released a fix for CVS for CVE-2004-0414.
Jun 10 2004 (Gentoo Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
Gentoo has released a fix.
Jun 17 2004 (Debian Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
Debian has released a fix.
Sep 20 2004 (FreeBSD Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
FreeBSD has released a fix.
Oct 7 2004 (Fedora Issues Fix for RH Linux) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
Fedora has released a fix for Red Hat Linux 7.3 and 9.



 Source Message Contents

Subject:  http://security.e-matters.de/advisories/092004.txt


http://security.e-matters.de/advisories/092004.txt

                            e-matters GmbH
                           www.e-matters.de

                       -= Security  Advisory =-



      Advisory: More CVS remote vulnerabilities
  Release Date: 2004/06/09
Last Modified: 2004/06/09
        Author: Stefan Esser [s.esser@e-matters.de]

   Application: CVS feature release <= 1.12.8
                CVS stable release  <= 1.11.16
      Severity: Vulnerabilities within CVS allow remote compromise of
                CVS servers.
          Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
     Reference: http://security.e-matters.de/advisories/092004.html


Overview:

    Concurrent Versions System (CVS) is the dominant open-source version
    control software that allows developers to access the latest code using
    a network connection.

    A team audit of the CVS codebase has revealed more security related
    problems. The vulnerabilties discovered include exploitable, potentially
    exploitable and simple crash bugs.


Details:

    During the analysis of the cvshome.org hack incident Derek Robert Price
    discovered a null-termination issue in the patch for the previous
    CVS security issue. This issue was not deeply analysed but it is
    believed that it can only cause crashes.

    At the same time Sebastian Krahmer from SuSE and I started together
    a deeper audit of the CVS codebase. This process revealed several
    problems which are listed below. This includes those found by S. Krahmer

    [ error_prog_name "double-free()" - found by SE ]

    The "Argumentx" command allows to add more data to a previously supplied
    argument. This is done by reallocating the last stored argument.
    Unfourtunately "Argumentx" does not check if there is any argument in
    the argument list. If the list is empty realloc() will be called on a
    pointer that should not get touched at all, because it will get free()d
    when the client disconnect. This "double-free()" bug has been exploited
    successfully on several linux systems.

    [ wrapper.c format string issues - found by SE ]

    The CVS wrapper file allows to specify format strings. These strings are
    trusted by the CVS server without any sanity check. A malformed wrapper
    line could crash the server or possibly execute arbitrary code. However
    an attacker needs CVSROOT commit access to trigger this, which is the
    highest access level.

    [ serve_max_dotdot integer overflow - found by SE ]

    An integer overflow within the "Max-dotdot" CVS protocol command allows
    crashing the CVS server. While CVS server processes are usually forked
    a crash usually leaves data in the temporary file directory. This means
    on non partitioned servers this bug could be used to fill the hard-disk
    to the rim.

    [ serve_notify() out of bound writes - found by SK ]

    Serve_notify() does not properly handle empty data lines. If an empty
    data line is supplied by an attacker serve_notify() will access data
    outside the allocated buffer. If a specific memory layout is met, this
    can be abused to write a single byte outside the buffer. Depending on
    the underlying memory allocating routines, this could be used to
    execute arbitrary system on the target system. An exploit for this
    problem is not yet finished.

    [ getline == 0 bugs - found by SK ]

    When reading some configuration files from CVSROOT empty lines could
    cause one byte underflows. Because an attacker needs CVSROOT commit
    access to trigger this bug it was not further analysed. Additionally
    this bug should only cause problems on big endian systems.

    [ Argument (and other) integer overflows - found by SK ]

    With the new release a bunch of possible integer multiplication overflows
    are fixed. Some of them are only triggerable with CVS commit access or
    with huge amounts of data. In cases like the Argument command the
    overflow is not triggerable, because the requested allocation size will
    exceed the free address space before the overflow can happen. This results
    in realloc() returning a NULL pointer which is then used as base pointer
    for following array accesses. If an attacker is able to cause realloc()
    to fail in the right moment this may allow him to overwrite vital data
    structures with pointers to his data.


Proof of Concept:

    e-matters is not going to release an exploit for any of these
    vulnerabilities to the public.


Disclosure Timeline:

    20. May 2004  - Derek Robert Price informed vendor-sec and some
                    individuals about the cvshome.org hack and that he
		   found a bug that was introduced by the previous
		   security update
    21. May 2004  - Sebastian Krahmer and I reported to the same people,
                    that we had started on a team audit of CVS and already
		   had discovered some bugs
    27. May 2004  - A patch for the discovered vulnerabilities and
                    a final report about the problems was delivered
	           to those involved in the disclosure process
    28. May 2004  - Pre notification process started. The same parties
                    were warned
    09. June 2004 - Coordinated Public Disclosure


CVE Information:

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the discussed vulnerabilities

         CAN-2004-0414 - no-null-termination of "Entry" lines

         CAN-2004-0416 - error_prog_name "double-free()"

         CAN-2004-0417 - Argument integer overflow

         CAN-2004-0418 - serve_notify() out of bounds writes

    Please note, that only CAN-2004-0416 was discovered by e-matters. For
    the other vulnerabilities within this advisory no additional names
    were assigned.


Recommendation:

    Recommended is an immediate update to the new version. Additionally you
    should consider running your CVS server chrooted over SSH instead of
    using the :pserver: method. You can find a tutorial how to setup such a
    server at

    http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt


GPG-Key:

    http://security.e-matters.de/gpg_key.asc

    pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
    Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC