[VulnWatch] Advisory 01/2003: CVS remote vulnerability

From: Stefan Esser (s.esser@e-matters.de)
Date: 01/20/03

  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package"
    Date: Mon, 20 Jan 2003 22:25:23 +0100
    From: Stefan Esser <s.esser@e-matters.de>
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
    
    
    

                               e-matters GmbH
                              www.e-matters.de

                          -= Security Advisory =-

         Advisory: CVS remote vulnerability
     Release Date: 2003/01/20
    Last Modified: 2003/01/20
           Author: Stefan Esser [s.esser@e-matters.de]

      Application: CVS <= 1.11.4
         Severity: A vulnerability within CVS allows remote compromise of
                   CVS servers.
             Risk: Critical
    Vendor Status: Vendor has released a bugfixed version.
        Reference: http://security.e-matters.de/advisories/012003.html

    Overview:

       Concurrent Versions System (CVS) is the dominant open-source version
       control software that allows developers to access the latest code using
       a network connection. CVS version 1.11.4 and below contain a flaw that
       can be used by a remote attacker to execute arbitrary code on the server.
          
       You should also note, that the CVS client/server protocol includes two
       commands (Update-prog and Checkin-prog) that can be used by any CVS user
       with write access to the repository to execute arbitrary shell commands
       on the server. This is a questionable feature, because it is very badly
       documented, is unknown to most CVS administrators and cannot be turned
       off within the configuration files.
       
       
    Details:
       
       While auditing the CVS sourcetree I found a flaw within the handling of
       the Directory request within the server code. By sending a malformed
       directory name it is possible to trigger an error condition that will
       make the function return at a point where a global pointer variable is
       already freed and has not got a new value assigned yet. This will result
       in a classical double-free() when the next Directory request is handled.
       With the help of other CVS requests it is possible to either leak some
       information that could be used to determine the heap position or to
       execute arbitrary code on systems that are known to be vulnerable to
       this kind of bugs. This includes Linux, Solaris and most probably Windows
       systems.
       
       Additionally I was able to create proof of concept code that uses this
       vulnerability to execute arbitrary shell commands on BSD servers. I was
       able to achieve this because all allocated memory is aligned on BSD
       systems which makes it very easy to get newly allocated memory blocks
       into the same position of already freed blocks of the same slotsize.
       In combination with some CVS requests that work on lists of pointers,
       I was able to use this bug to free arbitrary memory addresses. With the
       help of the information leak capabilities of this vulnerability it is
       possible to guess the address of some strings that are needed for the
       read/write access checks. Combined this allowes to bypass the write
       access checks and to abuse the Update-prog/Checkin-prog requests to
       execute arbitrary commands on the server with an anonymous read-only
       account.
       
       The impact of this vulnerability depends highly on the configuration of
       the server. The CVS server is by default started via inetd with root
       privileges. If CVSROOT/passwd is left writeable to the CVS user this means
       a remote root compromise. You must also consider that chrooting the CVS
       daemon may protect the rest of your system against the intruder but will
       still leave the whole source tree vulnerable to the attacker.

       Summarized this means that this vulnerability is a threat to most open
       source projects because nearly all of them offer anonymous CVS access to
       the source tree. Even if the attacker is not able to extend his attack
       on the developer CVS server (if it is seperated at all) he could still
       backdoor everything other people download from the anonymous server.

    Proof of Concept:

       e-matters is not going to release an exploit for this vulnerability to
       the public.
       

    Disclosure Timeline:

       04. January 2003 - Vendor was notified via email. Unfourtunately the
                          person that I tried to contact was on vacation, so I
                          received no answer.
       12. January 2003 - The vulnerability was disclosed to the admins of several
                          big public CVS repositories and to some distributors.
       15. January 2003 - Vendor has committed the fix to the CVS CVS repository.
       16. January 2003 - Vendor-sec was notified that a new bugfixed CVS version
                          will be released on 20th January.
       20. January 2003 - Vendor has released a new version which fixes the double
                          free problem. You can download it at:
                          http://ccvs.cvshome.org/servlets/ProjectDownloadList

       
    CVE Information:

       The Common Vulnerabilities and Exposures project (cve.mitre.org) has
       assigned the name CAN-2003-0015 to this issue.

    Recommendation:

       My recommendation is to immediantly update to the new version. You may also
       consider applying my patch which adds the ability to turn off Update-prog
       and Checkin-prog within your configuration files. You can download it from
       
       http://security.e-matters.de/patches/cvs_disablexprog.diff
       
       You should also consider running your CVS server chrooted over SSH instead
       of using the :pserver: method. You can find a tutorial how to setup such a
       server at
       
       http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt
       
       
    GPG-Key:

       http://security.e-matters.de/gpg_key.asc
        
       pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
       Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6

    Copyright 2003 Stefan Esser. All rights reserved.

    -- 
    --------------------------------------------------------------------------
     Stefan Esser                                        s.esser@e-matters.de
     e-matters Security                         http://security.e-matters.de/
     GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
     Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
    --------------------------------------------------------------------------
     Did I help you? Consider a gift:            http://wishlist.suspekt.org/
    --------------------------------------------------------------------------
    
    




    Relevant Pages