9623365 igår 22:20 -0100 /28 rader/ michael
Importerad: igår 22:04 av Slashdotimportören
Mottagare: Slashdot.org (-) import av nyheter <19442>
Mottagare: Cracking erfarenhetsutbyte <15837>
Sänt: idag 01:08
Sänt av Mats Forsén (GarnaX)
Ärende: Remote Root Exploit in CVS
------------------------------------------------------------
Department: checking-out
Topic: Bug
Author: michael
Time: Tue Jan 21 21:20:33 2003 CEST
RenHoek writes "Security expert Stefan Esser from E-matters discovered
a bug in CVS version 1.11.4 and lower, that can give malignant users
remote root access. The exploit was confirmed on BSD, but other OS's
like Linux, Solaris and Windows are vulnerable too. A security
advisory can be found here and there is also a patch available. CVS
version 1.11.5 which is fixed can be downloaded as well."
--
* 1.11.5 http://ccvs.cvshome.org/servlets/ProjectDownloadList
* CVS http://ccvs.cvshome.org/servlets/ProjectHome
* security advisory http://security.e-matters.de/advisories/012003.html
* patch http://security.e-matters.de/patches/cvs_disablexprog.diff
* E-matters http://www.e-matters.de/
* RenHoek mailto:ren@NOSPAM.arak.cs.hro.nl
http://slashdot.org/article.pl?sid=03/01/21/1752251
(9623365) /michael/---------------------------------
Kommentar i text 9623457
88724 2003-01-23 01:08 /142 rader/ Stefan Esser <s.esser@e-matters.de>
Importerad: 2003-01-23 01:08 av Brevbäraren
Extern mottagare: full-disclosure@lists.netsys.com
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <3167>
Ärende: Advisory 01/2003: CVS remote vulnerability
------------------------------------------------------------
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: CVS remote vulnerability
Release Date: 2003/01/20
Last Modified: 2003/01/20
Author: Stefan Esser [s.esser@e-matters.de]
Application: CVS <= 1.11.4
Severity: A vulnerability within CVS allows remote compromise of
CVS servers.
Risk: Critical
Vendor Status: Vendor has released a bugfixed version.
Reference: http://security.e-matters.de/advisories/012003.html
Overview:
Concurrent Versions System (CVS) is the dominant open-source
version control software that allows developers to access the
latest code using a network connection. CVS version 1.11.4 and
below contain a flaw that can be used by a remote attacker to
execute arbitrary code on the server.
You should also note, that the CVS client/server protocol includes
two commands (Update-prog and Checkin-prog) that can be used by
any CVS user with write access to the repository to execute
arbitrary shell commands on the server. This is a questionable
feature, because it is very badly documented, is unknown to most
CVS administrators and cannot be turned off within the
configuration files.
Details:
While auditing the CVS sourcetree I found a flaw within the
handling of the Directory request within the server code. By
sending a malformed directory name it is possible to trigger an
error condition that will make the function return at a point
where a global pointer variable is already freed and has not got
a new value assigned yet. This will result in a classical
double-free() when the next Directory request is handled. With
the help of other CVS requests it is possible to either leak some
information that could be used to determine the heap position or
to execute arbitrary code on systems that are known to be
vulnerable to this kind of bugs. This includes Linux, Solaris and
most probably Windows systems.
Additionally I was able to create proof of concept code that uses
this vulnerability to execute arbitrary shell commands on BSD
servers. I was able to achieve this because all allocated memory
is aligned on BSD systems which makes it very easy to get newly
allocated memory blocks into the same position of already freed
blocks of the same slotsize. In combination with some CVS
requests that work on lists of pointers, I was able to use this
bug to free arbitrary memory addresses. With the help of the
information leak capabilities of this vulnerability it is
possible to guess the address of some strings that are needed for
the read/write access checks. Combined this allowes to bypass the
write access checks and to abuse the Update-prog/Checkin-prog
requests to execute arbitrary commands on the server with an
anonymous read-only account.
The impact of this vulnerability depends highly on the
configuration of the server. The CVS server is by default started
via inetd with root privileges. If CVSROOT/passwd is left
writeable to the CVS user this means a remote root compromise. You
must also consider that chrooting the CVS daemon may protect the
rest of your system against the intruder but will still leave the
whole source tree vulnerable to the attacker.
Summarized this means that this vulnerability is a threat to most
open source projects because nearly all of them offer anonymous
CVS access to the source tree. Even if the attacker is not able to
extend his attack on the developer CVS server (if it is seperated
at all) he could still backdoor everything other people download
from the anonymous server.
Proof of Concept:
e-matters is not going to release an exploit for this
vulnerability to the public.
Disclosure Timeline:
04. January 2003 - Vendor was notified via email. Unfourtunately the
person that I tried to contact was on vacation, so I
received no answer.
12. January 2003 - The vulnerability was disclosed to the admins of several
big public CVS repositories and to some distributors.
15. January 2003 - Vendor has committed the fix to the CVS CVS repository.
16. January 2003 - Vendor-sec was notified that a new bugfixed CVS version
will be released on 20th January.
20. January 2003 - Vendor has released a new version which fixes the double
free problem. You can download it at:
http://ccvs.cvshome.org/servlets/ProjectDownloadList
CVE Information:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0015 to this issue.
Recommendation:
My recommendation is to immediantly update to the new version. You
may also consider applying my patch which adds the ability to turn
off Update-prog and Checkin-prog within your configuration
files. You can download it from
http://security.e-matters.de/patches/cvs_disablexprog.diff
You should also consider running your CVS server chrooted over SSH
instead of using the :pserver: method. You can find a tutorial how
to setup such a server at
http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt
GPG-Key:
http://security.e-matters.de/gpg_key.asc
pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam Key
fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6
Copyright 2003 Stefan Esser. All rights reserved.
--
--------------------------------------------------------------------------
Stefan Esser s.esser@e-matters.de
e-matters Security http://security.e-matters.de/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69
Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
Did I help you? Consider a gift: http://wishlist.suspekt.org/
--------------------------------------------------------------------------
(88724) /Stefan Esser <s.esser@e-matters.de>/(Ombruten)
Bilaga (application/pgp-signature) i text 88725
88725 2003-01-23 01:08 /9 rader/ Stefan Esser <s.esser@e-matters.de>
Importerad: 2003-01-23 01:08 av Brevbäraren
Extern mottagare: full-disclosure@lists.netsys.com
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <3168>
Bilaga (text/plain) till text 88724
Ärende: Bilaga till: Advisory 01/2003: CVS remote vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org
iD8DBQE+LGlB1rB3BM9srmkRAjHwAKCsSO+FukVQkInTIvu9xdYBLcXnPwCgiozi
cHwpG5tHoyuZYkXNNj8M94c=
=Ofkz
-----END PGP SIGNATURE-----
(88725) /Stefan Esser <s.esser@e-matters.de>/-------