Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Concurrent Versions System (CVS) Off-by-one Buffer Overflow May Let Local Users Execute Arbitrary Code to Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1004376
|
|
CVE Reference: CAN-2002-0844
(Links to External Site)
|
Updated: Jan 14 2004
|
Original Entry Date: May 25 2002
|
Impact: Execution of arbitrary code via local system, User access via local system
|
Version(s): 1.11
|
Description: A buffer overflow vulnerability has been reported in the Concurrent Versions System (CVS) daemon. A local user may be able to execute arbitrary code with the privileges of the CVS process.
The flaw reportedly resides in the 'cvs-1.11/src/rcs.c' file, where a sscanf() call is made specifying that 16 bytes should be read
from the 'info->data' variable into a 15 byte (plus NULL) variable 'devtype[16]'. The 'info->data' variable is apparently based
on the contents of a symlinked file on the local system. A local user could create a special value for the contents of this file
to trigger the CVS buffer overflow and execute arbitrary code.
|
Impact: A local user could cause the CVS server to execute arbitrary code with the privileges of the CVS daemon.
|
Solution: No official solution was available at the time of this entry.
The author of the report has provided an unofficial patch (see the Source Message for the patch).
|
Vendor URL: www.gnu.org/software/cvs/cvs.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "david evlis reign" <davidreign@hotmail.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sat, 25 May 2002 08:08:55 +0000
From: "david evlis reign" <davidreign@hotmail.com>
Subject: [DER ADV#8] - Local off by one in CVSD
|
Local off by one overflow in CVSD.
intro:
the family of scanf functions (scanf, sscanf, fscanf) are generally insecure
in usage and steps have been taken to make them more...secure you might say
like adding bounds checking (sscanf(hey, "%.4096s %d", buffer, int)) but the
function still remains quite insecure, to a lesser known bug like an off by
one.
WRONG:
char buf[10];
int i;
sscanf(hey, "%.10s", buf); <-- boundary checks ten bytes...
RIGHT:
char buf[10];
int i;
sscanf(hey, "%.9s" buf); <-- see!
therefore in the first example (WRONG) the last byte into buf will exeed the
allocated space (10 bytes) by one byte. woops.
(http://www.hert.org/papers/klog-1.html <-- nice article)
details:
in cvs-1.11/src/rcs.c:
info = findnode (vers->other_delta, "special");
if (info != NULL)
{
/* If the size of `devtype' changes, fix the sscanf call also */
char devtype[16]; <-- SIXTEEN BYTES
if (sscanf (info->data, "%16s %lu", <-- WOOPS SHOULD BE 15
devtype, &devnum_long) < 2)
error (1, 0, "%s:%s has bad `special' newphrase %s",
workfile, vers->version, info->data);
devnum = devnum_long;
if (STREQ (devtype, "character"))
special_file = S_IFCHR;
else if (STREQ (devtype, "block"))
special_file = S_IFBLK;
else
error (0, 0, "%s is a special file of unsupported type `%s'",
workfile, info->data);
}
}
this is only a locally exploitable hole since the data is read from
info->data which in turn is from a symlinked local file (heh, you know where
to find it);
we at der sys have created the following patch:
__END_OF_PATCH;
##########################
#DER PATCH FOR CVS < 1.11#
##########################
--- rcs_old.c Mon Jan 25 02:05:16 2002
+++ rcs.c Mon Jan 25 02:05:40 2002
--- 4238: if (sscanf (info->data, "%16s %lu",
+++ 4238: if (sscanf (info->data, "%.15s %lu",
devtype, &devnum_long) < 2)
error (1, 0, "%s:%s has bad `special' newphrase %s",
workfile, vers->version, info->data);
__END_OF_PATCH;
vendor notification: nope.
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
|
|
Go to the Top of This SecurityTracker Archive Page
|
