exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

072004.txt

072004.txt
Posted May 19, 2004
Authored by Stefan Esser | Site security.e-matters.de

Stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7 both contain a flaw when deciding if a CVS entry line should get a modified or unchanged flag attached. This results in a heap overflow which can be exploited to execute arbitrary code on the CVS server. This could allow a repository compromise.

tags | advisory, overflow, arbitrary
advisories | CVE-2004-0396
SHA-256 | 00c2f250dd0b9f331e85b739415381b86f0e2189bb6869f8fc74364b3f7c03d1

072004.txt

Change Mirror Download
                           e-matters GmbH
www.e-matters.de

-= Security Advisory =-



Advisory: CVS remote vulnerability
Release Date: 2004/05/19
Last Modified: 2004/05/19
Author: Stefan Esser [s.esser@e-matters.de]

Application: CVS feature release <= 1.12.7
CVS stable release <= 1.11.15
Severity: A vulnerability within CVS allows remote compromise of
CVS servers.
Risk: Critical
Vendor Status: Vendor is releasing a bugfixed version.
Reference: http://security.e-matters.de/advisories/072004.html


Overview:

Concurrent Versions System (CVS) is the dominant open-source version
control software that allows developers to access the latest code using
a network connection.

Stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7
both contain a flaw when deciding if a CVS entry line should get a
modified or unchanged flag attached. This results in a heap overflow
which can be exploited to execute arbitrary code on the CVS server.
This could allow a repository compromise.


Details:

While auditing the CVS source a flaw within the handling of modified
and unchanged flag insertion into entry lines was discovered.

When the client sends an entry line to the server an additional byte
is allocated to have enough space for later flagging the entry as
modified or unchanged. In both cases the check if such a flag is
already attached is flawed. This allows to insert M or = chars into
the middle of a user supplied string one by one for every call to
one of these functions.

It should be obvious that already the second call could possibly
overflow the allocated buffer by shifting the part after the
insertion point one char backward. If the alignment of the block
is choosen wisely this is already exploitable by malloc() off-by-one
exploitation techniques. However carefully crafted commands allow
the functions to be called several times to overwrite even more
bytes (although this is not really needed if you want to exploit
this bug on f.e. glibc based systems).


Proof of Concept:

e-matters is not going to release an exploit for this vulnerability to
the public.


Disclosure Timeline:

02. May 2004 - CVS developers and vendor-sec were notified by email
Derek Robert Price replied nearly immediately that the
issue is fixed
03. May 2004 - Pre-notification process of important repositories
was started
11. May 2004 - Sourceforge discovered that the patch breaks
compatibility with some pserver protocol violating
versions of WinCVS/TortoiseCVS
12. May 2004 - Pre-notified repositories were warned about this
problem with a more compatible patch.
19. May 2004 - Coordinated Public Disclosure


CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0396 to this issue.


Recommendation:

Recommended is an immediate update to the new version. Additionally you
should consider running your CVS server chrooted over SSH instead of
using the :pserver: method. You can find a tutorial how to setup such a
server at

http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt


GPG-Key:

http://security.e-matters.de/gpg_key.asc

pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close