From s.esser@e-matters.de Wed Jun 9 21:25:37 2004 From: Stefan Esser To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, red@heisec.de, news@golem.de Date: Wed, 9 Jun 2004 15:00:04 +0200 Subject: [Full-Disclosure] Advisory 09/2004: More CVS remote vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: More CVS remote vulnerabilities Release Date: 2004/06/09 Last Modified: 2004/06/09 Author: Stefan Esser [s.esser@e-matters.de] Application: CVS feature release <= 1.12.8 CVS stable release <= 1.11.16 Severity: Vulnerabilities within CVS allow remote compromise of CVS servers. Risk: Critical Vendor Status: Vendor has released bugfixed versions. Reference: http://security.e-matters.de/advisories/092004.html Overview: Concurrent Versions System (CVS) is the dominant open-source version control software that allows developers to access the latest code using a network connection. A team audit of the CVS codebase has revealed more security related problems. The vulnerabilties discovered include exploitable, potentially exploitable and simple crash bugs. Details: During the analysis of the cvshome.org hack incident Derek Robert Price discovered a null-termination issue in the patch for the previous CVS security issue. This issue was not deeply analysed but it is believed that it can only cause crashes. At the same time Sebastian Krahmer from SuSE and I started together a deeper audit of the CVS codebase. This process revealed several problems which are listed below. This includes those found by S. Krahmer [ error_prog_name "double-free()" - found by SE ] The "Argumentx" command allows to add more data to a previously supplied argument. This is done by reallocating the last stored argument. Unfourtunately "Argumentx" does not check if there is any argument in the argument list. If the list is empty realloc() will be called on a pointer that should not get touched at all, because it will get free()d when the client disconnect. This "double-free()" bug has been exploited successfully on several linux systems. [ wrapper.c format string issues - found by SE ] The CVS wrapper file allows to specify format strings. These strings are trusted by the CVS server without any sanity check. A malformed wrapper line could crash the server or possibly execute arbitrary code. However an attacker needs CVSROOT commit access to trigger this, which is the highest access level. [ serve_max_dotdot integer overflow - found by SE ] An integer overflow within the "Max-dotdot" CVS protocol command allows crashing the CVS server. While CVS server processes are usually forked a crash usually leaves data in the temporary file directory. This means on non partitioned servers this bug could be used to fill the hard-disk to the rim. [ serve_notify() out of bound writes - found by SK ] Serve_notify() does not properly handle empty data lines. If an empty data line is supplied by an attacker serve_notify() will access data outside the allocated buffer. If a specific memory layout is met, this can be abused to write a single byte outside the buffer. Depending on the underlying memory allocating routines, this could be used to execute arbitrary system on the target system. An exploit for this problem is not yet finished. [ getline == 0 bugs - found by SK ] When reading some configuration files from CVSROOT empty lines could cause one byte underflows. Because an attacker needs CVSROOT commit access to trigger this bug it was not further analysed. Additionally this bug should only cause problems on big endian systems. [ Argument (and other) integer overflows - found by SK ] With the new release a bunch of possible integer multiplication overflows are fixed. Some of them are only triggerable with CVS commit access or with huge amounts of data. In cases like the Argument command the overflow is not triggerable, because the requested allocation size will exceed the free address space before the overflow can happen. This results in realloc() returning a NULL pointer which is then used as base pointer for following array accesses. If an attacker is able to cause realloc() to fail in the right moment this may allow him to overwrite vital data structures with pointers to his data. Proof of Concept: e-matters is not going to release an exploit for any of these vulnerabilities to the public. Disclosure Timeline: 20. May 2004 - Derek Robert Price informed vendor-sec and some individuals about the cvshome.org hack and that he found a bug that was introduced by the previous security update 21. May 2004 - Sebastian Krahmer and I reported to the same people, that we had started on a team audit of CVS and already had discovered some bugs 27. May 2004 - A patch for the discovered vulnerabilities and a final report about the problems was delivered to those involved in the disclosure process 28. May 2004 - Pre notification process started. The same parties were warned 09. June 2004 - Coordinated Public Disclosure CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the discussed vulnerabilities CAN-2004-0414 - no-null-termination of "Entry" lines CAN-2004-0416 - error_prog_name "double-free()" CAN-2004-0417 - Argument integer overflow CAN-2004-0418 - serve_notify() out of bounds writes Please note, that only CAN-2004-0416 was discovered by e-matters. For the other vulnerabilities within this advisory no additional names were assigned. Recommendation: Recommended is an immediate update to the new version. Additionally you should consider running your CVS server chrooted over SSH instead of using the :pserver: method. You can find a tutorial how to setup such a server at http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt GPG-Key: http://security.e-matters.de/gpg_key.asc pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC Copyright 2004 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFAxyajb31XLTAExLwRAsGhAKCtWZ4LPmhWGL5LPwLw0rdLcRJK9QCgzwAa g8QiBoU/d9w24xQdZp22CO0= =pJWH -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html