<<< Date Index >>>     <<< Thread Index >>>

Advisory 07/2004: CVS remote vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: CVS remote vulnerability
 Release Date: 2004/05/19
Last Modified: 2004/05/19
       Author: Stefan Esser [s.esser@xxxxxxxxxxxx]

  Application: CVS feature release <= 1.12.7
               CVS stable release  <= 1.11.15
     Severity: A vulnerability within CVS allows remote compromise of
               CVS servers.
         Risk: Critical
Vendor Status: Vendor is releasing a bugfixed version.
    Reference: http://security.e-matters.de/advisories/072004.html


Overview:

   Concurrent Versions System (CVS) is the dominant open-source version 
   control software that allows developers to access the latest code using
   a network connection. 
   
   Stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7
   both contain a flaw when deciding if a CVS entry line should get a 
   modified or unchanged flag attached. This results in a heap overflow
   which can be exploited to execute arbitrary code on the CVS server.
   This could allow a repository compromise.
      
   
Details:
   
   While auditing the CVS source a flaw within the handling of modified
   and unchanged flag insertion into entry lines was discovered.
   
   When the client sends an entry line to the server an additional byte
   is allocated to have enough space for later flagging the entry as
   modified or unchanged. In both cases the check if such a flag is
   already attached is flawed. This allows to insert M or = chars into
   the middle of a user supplied string one by one for every call to
   one of these functions.
   
   It should be obvious that already the second call could possibly
   overflow the allocated buffer by shifting the part after the 
   insertion point one char backward. If the alignment of the block
   is choosen wisely this is already exploitable by malloc() off-by-one
   exploitation techniques. However carefully crafted commands allow 
   the functions to be called several times to overwrite even more
   bytes (although this is not really needed if you want to exploit 
   this bug on f.e. glibc based systems).
   

Proof of Concept:

   e-matters is not going to release an exploit for this vulnerability to
   the public.
   

Disclosure Timeline:

   02. May 2004 - CVS developers and vendor-sec were notified by email
                  Derek Robert Price replied nearly immediately that the
                  issue is fixed
   03. May 2004 - Pre-notification process of important repositories
                  was started
   11. May 2004 - Sourceforge discovered that the patch breaks 
                  compatibility with some pserver protocol violating 
                  versions of WinCVS/TortoiseCVS
   12. May 2004 - Pre-notified repositories were warned about this 
                  problem with a more compatible patch.
   19. May 2004 - Coordinated Public Disclosure

   
CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-0396 to this issue.


Recommendation:

   Recommended is an immediate update to the new version. Additionally you
   should consider running your CVS server chrooted over SSH instead of 
   using the :pserver: method. You can find a tutorial how to setup such a
   server at
   
   http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam 
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAqWRzb31XLTAExLwRAroGAKDWZEjc+4qs/PssTburCoQT8015KQCfSVL2
9igDTnXB45PxjgzEdZVU328=
=JEr/
-----END PGP SIGNATURE-----


-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@xxxxxxxxxxxx
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------