If CVS is run as root with pserver as suggested in the info page, any user can access any account (with the possible exception of root)
Elliot Lee <sopwith@REDHAT.COM>
access any nonuser account (remote)
Those running a vulnerable version of CVS pserver as suggested in the CVS info page. CVS 1.9.14 has this fixed
29 August 1997
Date: Fri, 29 Aug 1997 12:08:48 -0400
From: Elliot Lee <sopwith@REDHAT.COM>
Subject: Somewhat of a security hole in CVS
If you run the CVS pserver as per the instructions in the CVS info page
(running it as root from inetd) anyone can get access to any account
except root (and perhaps root too - there may be CVS commands that run
scripts and don't check if uid == 0). If you don't run it as root they can
still get full access to the repository.
Basically, the luser makes their own CVS repository with a "customized"
password file, changes commitinfo so it runs a "chmod 6555 /bin/sh"
script, and does a commit of something.
This is more of a site configuration problem than anything else - it's not
really a weakness inherent in CVS(?). A patch to server.c to limit usage
of the 'Repository' and 'Directory' commands to only those listed in
/etc/cvs-repositories might be useful, but I'm not sure how thorough that
Of course, having someone do a complete security audit of CVS wouldn't
hurt either ;-) It is becoming increasingly used on the 'net for software
distribution - the OpenBSD project being an example - and it lacks some
basic features, such as integrated anonymous user support (without having
to make a separate user and run the server as root, or enable rsh/ssh
access), that it could use.
Hope this helps,
-- Elliot - http://www.redhat.com/
What's nice about GUI is that you see what you manipulate.
What's bad about GUI is that you can only manipulate what you see.
| http://www.cauce.org/ | http://www.linuxnet.org/ |
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: