[UNIX] Local Off By One Overflow in CVSd

From: support@securiteam.com
Date: 05/26/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 26 May 2002 08:43:48 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Local Off By One Overflow in CVSd
------------------------------------------------------------------------

SUMMARY

 <http://ch.twi.tudelft.nl/~arthur/cvsd/> CVSd is a wrapper program for
cvs in pserver mode. It will run 'cvs pserver' under a special uid/gid in
a chroot jail. A security vulnerability in the product allows attackers to
exploit an off-by-one overflow causing the program to execute arbitrary
code.

DETAILS

Vulnerable systems:
 * CVSd version 0.9.7 and prior

Immune systems:
 * CVSd version 0.9.8

The family of scanf functions (scanf, sscanf, fscanf) is generally
insecure for usage and steps have been taken to make them more secure.
Such as by adding bounds checking (sscanf(hey, "%.4096s %d", buffer, int))
however, the function remains relatively insecure, to a lesser known bugs
like an off by one.

Wrong:
char buf[10];
int i;
sscanf(hey, "%.10s", buf); <-- [0..10] => 10 ( too big )

Right:
char buf[10];
int i;
sscanf(hey, "%.9s" buf); <-- [0..9] => 9

Therefore, in the first example the last byte into "buf" will exceed the
allocated space (10 bytes) by one byte. (For a very good article on
Off-By-One vulnerabilities see: <http://www.hert.org/papers/klog-1.html>
http://www.hert.org/papers/klog-1.html)

Technical Details:
In cvs-1.11/src/rcs.c:
info = findnode (vers->other_delta, "special");
if (info != NULL)
{
    /* If the size of `devtype' changes, fix the sscanf call also */
    char devtype[16]; <-- SIXTEEN BYTES

    if (sscanf (info->data, "%16s %lu", <-- WOOPS SHOULD BE 15
devtype, &devnum_long) < 2)
error (1, 0, "%s:%s has bad `special' newphrase %s",
       workfile, vers->version, info->data);
    devnum = devnum_long;
    if (STREQ (devtype, "character"))
special_file = S_IFCHR;
    else if (STREQ (devtype, "block"))
special_file = S_IFBLK;
    else
error (0, 0, "%s is a special file of unsupported type `%s'",
       workfile, info->data);
}
    }

This is only a locally exploitable hole since the data is read from
info->data that in turn is from a symlinked local file.

Solution:
Apply the following patch, or download the complete package of the program
of the web:
__END_OF_PATCH;

##########################
#DER PATCH FOR CVS < 1.11#
##########################

--- rcs_old.c Mon Jan 25 02:05:16 2002
+++ rcs.c Mon Jan 25 02:05:40 2002

--- 4238: if (sscanf (info->data, "%16s %lu",
+++ 4238: if (sscanf (info->data, "%.15s %lu",
devtype, &devnum_long) < 2)
error (1, 0, "%s:%s has bad `special' newphrase %s",
workfile, vers->version, info->data);

__END_OF_PATCH;

ADDITIONAL INFORMATION

The information has been provided by <mailto:davidreign@hotmail.com>
david evlis reign.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.