what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

092004.txt

092004.txt
Posted Jun 10, 2004
Authored by Stefan Esser | Site security.e-matters.de

A team audit of the CVS codebase has revealed more security related problems. The vulnerabilities discovered include exploitable, potentially exploitable and simple crash bugs. Vulnerable versions are CVS feature releases up to 1.12.8 and stable release up to 1.11.16.

tags | advisory, vulnerability
advisories | CVE-2004-0414, CVE-2004-0416, CVE-2004-0417, CVE-2004-0418
SHA-256 | 155d8c19e5073cd3b1c60af1ba16f4d76266640aeb9a5c4f91e717dbed6b651a

092004.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

e-matters GmbH
www.e-matters.de

-= Security Advisory =-



Advisory: More CVS remote vulnerabilities
Release Date: 2004/06/09
Last Modified: 2004/06/09
Author: Stefan Esser [s.esser@e-matters.de]

Application: CVS feature release <= 1.12.8
CVS stable release <= 1.11.16
Severity: Vulnerabilities within CVS allow remote compromise of
CVS servers.
Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
Reference: http://security.e-matters.de/advisories/092004.html


Overview:

Concurrent Versions System (CVS) is the dominant open-source version
control software that allows developers to access the latest code using
a network connection.

A team audit of the CVS codebase has revealed more security related
problems. The vulnerabilties discovered include exploitable, potentially
exploitable and simple crash bugs.


Details:

During the analysis of the cvshome.org hack incident Derek Robert Price
discovered a null-termination issue in the patch for the previous
CVS security issue. This issue was not deeply analysed but it is
believed that it can only cause crashes.

At the same time Sebastian Krahmer from SuSE and I started together
a deeper audit of the CVS codebase. This process revealed several
problems which are listed below. This includes those found by S. Krahmer

[ error_prog_name "double-free()" - found by SE ]

The "Argumentx" command allows to add more data to a previously supplied
argument. This is done by reallocating the last stored argument.
Unfourtunately "Argumentx" does not check if there is any argument in
the argument list. If the list is empty realloc() will be called on a
pointer that should not get touched at all, because it will get free()d
when the client disconnect. This "double-free()" bug has been exploited
successfully on several linux systems.

[ wrapper.c format string issues - found by SE ]

The CVS wrapper file allows to specify format strings. These strings are
trusted by the CVS server without any sanity check. A malformed wrapper
line could crash the server or possibly execute arbitrary code. However
an attacker needs CVSROOT commit access to trigger this, which is the
highest access level.

[ serve_max_dotdot integer overflow - found by SE ]

An integer overflow within the "Max-dotdot" CVS protocol command allows
crashing the CVS server. While CVS server processes are usually forked
a crash usually leaves data in the temporary file directory. This means
on non partitioned servers this bug could be used to fill the hard-disk
to the rim.

[ serve_notify() out of bound writes - found by SK ]

Serve_notify() does not properly handle empty data lines. If an empty
data line is supplied by an attacker serve_notify() will access data
outside the allocated buffer. If a specific memory layout is met, this
can be abused to write a single byte outside the buffer. Depending on
the underlying memory allocating routines, this could be used to
execute arbitrary system on the target system. An exploit for this
problem is not yet finished.

[ getline == 0 bugs - found by SK ]

When reading some configuration files from CVSROOT empty lines could
cause one byte underflows. Because an attacker needs CVSROOT commit
access to trigger this bug it was not further analysed. Additionally
this bug should only cause problems on big endian systems.

[ Argument (and other) integer overflows - found by SK ]

With the new release a bunch of possible integer multiplication overflows
are fixed. Some of them are only triggerable with CVS commit access or
with huge amounts of data. In cases like the Argument command the
overflow is not triggerable, because the requested allocation size will
exceed the free address space before the overflow can happen. This results
in realloc() returning a NULL pointer which is then used as base pointer
for following array accesses. If an attacker is able to cause realloc()
to fail in the right moment this may allow him to overwrite vital data
structures with pointers to his data.


Proof of Concept:

e-matters is not going to release an exploit for any of these
vulnerabilities to the public.


Disclosure Timeline:

20. May 2004 - Derek Robert Price informed vendor-sec and some
individuals about the cvshome.org hack and that he
found a bug that was introduced by the previous
security update
21. May 2004 - Sebastian Krahmer and I reported to the same people,
that we had started on a team audit of CVS and already
had discovered some bugs
27. May 2004 - A patch for the discovered vulnerabilities and
a final report about the problems was delivered
to those involved in the disclosure process
28. May 2004 - Pre notification process started. The same parties
were warned
09. June 2004 - Coordinated Public Disclosure


CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following names to the discussed vulnerabilities

CAN-2004-0414 - no-null-termination of "Entry" lines

CAN-2004-0416 - error_prog_name "double-free()"

CAN-2004-0417 - Argument integer overflow

CAN-2004-0418 - serve_notify() out of bounds writes

Please note, that only CAN-2004-0416 was discovered by e-matters. For
the other vulnerabilities within this advisory no additional names
were assigned.


Recommendation:

Recommended is an immediate update to the new version. Additionally you
should consider running your CVS server chrooted over SSH instead of
using the :pserver: method. You can find a tutorial how to setup such a
server at

http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt


GPG-Key:

http://security.e-matters.de/gpg_key.asc

pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAxyajb31XLTAExLwRAsGhAKCtWZ4LPmhWGL5LPwLw0rdLcRJK9QCgzwAa
g8QiBoU/d9w24xQdZp22CO0=
=pJWH
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close