|
|
|
|
| |
Concurrent Versions System (CVS) is the dominant open-source version control software that allows developers to access the latest code using a network connection.
Several new vulnerabilities were found in the CVS code base after a code audit was done. The vulnerabilities discovered include exploitable, potentially exploitable and simple crash bugs. |
| |
Credit:
The information has been provided by Stefan Esser.
The original article can be found at: http://security.e-matters.de/advisories/092004.html
|
| |
Vulnerable Systems:
* CVS feature release version 1.12.8 and prior
* CVS stable release version 1.11.16 and prior
Immune Systems:
* CVS feature release version 1.12.9
* CVS feature release version 1.11.17
CVE Information:
CAN-2004-0414
CAN-2004-0416
CAN-2004-0417
CAN-2004-0418
Please note, that only CAN-2004-0416 was discovered by e-matters. For the other vulnerabilities within this advisory no additional names were assigned.
error_prog_name "double-free()" vulnerability
The "Argumentx" command allows to add more data to a previously supplied argument. Reallocating the last stored argument does this, unfortunately "Argumentx" does not check if there is any argument in the argument list. If the list is empty realloc() will be called on a pointer that should not get touched at all, because it will get freed when the client disconnect. This "double-free()" bug has been exploited successfully on several Linux systems.
Format string issues in wrapper.c
The CVS wrapper file allows specifying format strings. The CVS server without any sanity check trusts these strings. A malformed wrapper line could crash the server or possibly execute arbitrary code. However an attacker needs CVSROOT commit access to trigger this, which is the highest access level.
Integer overflow in serve_max_dotdot protocol handling
An integer overflow within the "Max-dotdot" CVS protocol command allows crashing the CVS server. While CVS server processes are usually forked a crash usually leaves data in the temporary file directory. This means on non-partitioned servers this bug could be used to fill the hard disk to the rim.
Out of bound writes in serve_notify()
Serve_notify() does not properly handle empty data lines. If an empty data line is supplied by an attacker serve_notify() will access data outside the allocated buffer. If a specific memory layout is met, this can be abused to write a single byte outside the buffer. Depending on the underlying memory allocating routines, this could be used to execute arbitrary system on the target system. There is still no exploit for this vulnerability.
Mishandling of empty lines from the configuration file (getline returns 0)
When reading some configuration files from CVSROOT empty lines could cause one-byte underflows. Because an attacker needs CVSROOT commit access to trigger this bug it was not further analyzed. Additionally this bug should only cause problems on big endian systems.
Other integer overflows
With the new release a bunch of possible integer multiplication overflows are fixed. Some of them are only trigger-able with CVS commit access or with huge amounts of data. In cases like the Argument command the overflow is not trigger-able, because the requested allocation size will exceed the free address space before the overflow can happen. This results in realloc() returning a NULL pointer which is then used as base pointer for following array accesses. If an attacker is able to cause realloc() to fail in the right moment this may allow him to overwrite vital data structures with pointers to his data.
Disclosure Timeline
20. May 2004 - Derek Robert Price informed vendor-sec and some individuals about the cvshome.org hack and that he found a bug that was introduced by the previous security update
21. May 2004 - Sebastian Krahmer and Stefan Esser reported to the same people, that we had started on a team audit of CVS and already had discovered some bugs
27. May 2004 - A patch for the discovered vulnerabilities and a final report about the problems was delivered to those involved in the disclosure process
28. May 2004 - Pre notification process started. The same parties were warned
09. June 2004 - Coordinated Public Disclosure
Recommendation:
Recommended is an immediate update to the new version. Additionally you should consider running your CVS server chrooted over SSH instead of using the :pserver: method. You can find a tutorial how to setup such a server at: http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt.
|
|
|
|
|
|
|
