Security problems in CVS

Summary
Description:If CVS is run as root with pserver as suggested in the info page, any user can access any account (with the possible exception of root)
Author:Elliot Lee <sopwith@REDHAT.COM>
Compromise:access any nonuser account (remote)
Vulnerable Systems:Those running a vulnerable version of CVS pserver as suggested in the CVS info page. CVS 1.9.14 has this fixed
Date:29 August 1997
Details


Date: Fri, 29 Aug 1997 12:08:48 -0400
From: Elliot Lee <sopwith@REDHAT.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Somewhat of a security hole in CVS

If you run the CVS pserver as per the instructions in the CVS info page
(running it as root from inetd) anyone can get access to any account
except root (and perhaps root too - there may be CVS commands that run
scripts and don't check if uid == 0). If you don't run it as root they can
still get full access to the repository.

Basically, the luser makes their own CVS repository with a "customized"
password file, changes commitinfo so it runs a "chmod 6555 /bin/sh"
script, and does a commit of something.

This is more of a site configuration problem than anything else - it's not
really a weakness inherent in CVS(?). A patch to server.c to limit usage
of the 'Repository' and 'Directory' commands to only those listed in
/etc/cvs-repositories might be useful, but I'm not sure how thorough that
would be.

Of course, having someone do a complete security audit of CVS wouldn't
hurt either ;-) It is becoming increasingly used on the 'net for software
distribution - the OpenBSD project being an example - and it lacks some
basic features, such as integrated anonymous user support (without having
to make a separate user and run the server as root, or enable rsh/ssh
access), that it could use.

Hope this helps,
-- Elliot - http://www.redhat.com/
What's nice about GUI is that you see what you manipulate.
What's bad about GUI is that you can only manipulate what you see.

| http://www.cauce.org/ | http://www.linuxnet.org/ |

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]