[UNIX] CVS Remote Vulnerability

From: support@securiteam.com
Date: 01/21/03

  • Next message: support@securiteam.com: "[NEWS] PeopleSoft XML External Entities Vulnerability" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Jan 2003 19:15:53 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      CVS Remote Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    Concurrent Versions System (CVS) is the dominant open-source version
    control software that allows developers to access the latest code using a
    network connection. CVS version 1.11.4 and below contain a flaw that can
    be used by a remote attacker to execute arbitrary code on the server.
     
    You should also note, that the CVS client/server protocol includes two
    commands (Update-prog and Checkin-prog) that can be used by any CVS user
    with write access to the repository to execute arbitrary shell commands on
    the server. This is a questionable feature, because it is very badly
    documented, is unknown to most CVS administrators and cannot be turned off
    within the configuration files.

    DETAILS

    While auditing the CVS sourcetree Stefan Esser found a flaw within the
    handling of the Directory request within the server code. By sending a
    malformed directory name it is possible to trigger an error condition that
    will make the function return at a point where a global pointer variable
    is already freed and has not got a new value assigned yet. This will
    result in a classical double-free() when the next Directory request is
    handled. With the help of other CVS requests it is possible to either leak
    some information that could be used to determine the heap position or to
    execute arbitrary code on systems that are known to be vulnerable to this
    kind of bugs. This includes Linux, Solaris and most probably Windows
    systems.

    Additionally Stefan Esser was able to create proof of concept code that
    uses this vulnerability to execute arbitrary shell commands on BSD
    servers. Stefan Esser was able to achieve this because all allocated
    memory is aligned on BSD systems which make it very easy to get newly
    allocated memory blocks into the same position of already freed blocks of
    the same slotsize. In combination with some CVS requests that work on
    lists of pointers, Stefan Esser was able to use this bug to free arbitrary
    memory addresses. With the help of the information leak capabilities of
    this vulnerability it is possible to guess the address of some strings
    that are needed for the read/write access checks. Combined this allowes to
    bypass the write access checks and to abuse the Update-prog/Checkin-prog
    requests to execute arbitrary commands on the server with an anonymous
    read-only account.

    Impact:
    The impact of this vulnerability depends highly on the configuration of
    the server. The CVS server is by default started via inetd with root
    privileges. If CVSROOT/passwd is left writeable to the CVS user this means
    a remote root compromise. You must also consider that chrooting the CVS
    daemon may protect the rest of your system against the intruder but will
    still leave the whole source tree vulnerable to the attacker.

    Summarized this means that this vulnerability is a threat to most open
    source projects because nearly all of them offer anonymous CVS access to
    the source tree. Even if the attacker is not able to extend his attack on
    the developer CVS server (if it is separated at all) he could still
    backdoor everything other people download from the anonymous server.

    Disclosure Timeline:
    04. January 2003 - Vendor was notified via email. Unfortunately the person
    that Stefan Esser tried to contact was on vacation, so Stefan Esser
    received no answer.
    12. January 2003 - The vulnerability was disclosed to the admins of
    several big public CVS repositories and to some distributors.
    15. January 2003 - Vendor has committed the fix to the CVS CVS repository.
    16. January 2003 - Vendor-sec was notified that a new bugfixed CVS version
    will be released on 20th January.
    20. January 2003 - Vendor has released a new version which fixes the
    double free problem. You can download it at:
    <http://ccvs.cvshome.org/servlets/ProjectDownloadList>
    http://ccvs.cvshome.org/servlets/ProjectDownloadList

    Recommendation:
    Stefan Esser's recommendation is to immediately update to the new version.
    You may also consider applying my patch which adds the ability to turn off
    Update-prog and Checkin-prog within your configuration files. You can
    download it from
     <http://security.e-matters.de/patches/cvs_disablexprog.diff>
    http://security.e-matters.de/patches/cvs_disablexprog.diff

    You should also consider running your CVS server chrooted over SSH instead
    of using the :pserver: method. You can find a tutorial how to setup such a
    server at
    <http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt>
    http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:s.esser@e-matters.de> Stefan
    Esser.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages