import & commitinfo

Linas Vepstas Mon, 03 Apr 2000 23:51:11 -0700

>Submitter-Id:   net
>Originator:     Linas Vepstas
>Organization:
net
>Confidential:  no 
>Synopsis:      DoS: no way to stop anonymous import w/ pserver
>Severity:      critical
>Priority:      high
>Category:      cvs
>Class:         change-request
>Release:       cvs-1.10.6
>Environment:
        Intel 486
        Linux version 2.2.13 
        /lib/libc-2.1.1.so 

>Description:
        Any anonymous user may import new projects into cvs, via the
        pserver network server, without any sort of check (that I can
        find documented anywhere.)  This opens up any public cvs server
        to a variety of attacks:
        -- denial-of-service: a malicious user could import
           large projects until all disk space is consumed.
        -- surreptituous uploads: a hacker attempting to gain 
           access could use cvs to upload binaries, scripts.
           If cvs was also accessible via www, the scripts might be
           remotely executable! cracker then gets r00t. 

        In particular, CVSROOT/commitinfo is not used to determine 
        if import is allowed.

>How-To-Repeat:

--pick a pserver, any pserver will do:
        linas@shadygrove> /tmp/junk     %cvs -d 
:pserver:[EMAIL PROTECTED]:/home/cvs/cvsroot login
        (Logging in to [EMAIL PROTECTED])
        CVS password:

--paswwd guest

        linas@shadygrove> /tmp/junk     %cvs -d 
:pserver:[EMAIL PROTECTED]:/home/cvs/cvsroot import junkrep junkvend junkrel
        N junkrep/asdf
        
        No conflicts created by this import
-- lookit that: the import worked!  and the files are indeed on the server now.
        
        linas@shadygrove> /tmp/junk     %cvs -d 
:pserver:[EMAIL PROTECTED]:/home/cvs/cvsroot checkout junkrep
        cvs server: Updating junkrep
        U junkrep/asdf
        linas@shadygrove> /tmp/junk     %cd junkrep
        linas@shadygrove> /tmp/junk/junkrep     %ls -la
        total 4
        drwxr-xr-x   3 linas    users        1024 Apr  4 01:13 .
        drwxr-xr-x   3 linas    users        1024 Apr  4 01:13 ..
        drwxr-xr-x   2 linas    users        1024 Apr  4 01:13 CVS
        -rw-r--r--   1 linas    users          15 Apr  4 02:02 asdf
        linas@shadygrove> /tmp/junk/junkrep     %vi asdf
        linas@shadygrove> /tmp/junk/junkrep     %cvs commit
        cvs commit: Examining .
        cvs commit: Write access denied for user cvs
        cvs server: Pre-commit check failed
        cvs [server aborted]: correct above errors first!
        cvs commit: saving log message in /tmp/cvs0oQsqj

-- Well, here we actually see commitinfo at work: commitinfo does not allow
anonymous commits.


>Fix:
        Either:
        -- document whatever existing mechanism can be used to work
           around this security hole
        -- importing should use 'CVSROOT/commitinfo' to get approval
        -- importing should use new 'CVSROOT/importinfo' to get approval
import & commitinfo

Reply via email to
