Remote Root Exploit in CVS

RenHoek writes "Security expert Stefan Esser from E-matters discovered a bug in CVS version 1.11.4 and lower, that can give malignant users remote root access. The exploit was confirmed on BSD, but other OS's like Linux, Solaris and Windows are vulnerable too. A security advisory can be found here and there is also a patch available. CVS version 1.11.5 which is fixed can be downloaded as well."

Malignant?

[TheKodiak]

I think "Malicious" is the more... conventional choice.

CVS, huh?

[stratjakt]

Sounds like a good way to alter the code stored on a hacked machine to install backdoors for you to get into others.

Do you OSS folks actually read through every line of source before you build something big like Apache or Squid or SAMBA, just to make sure noone has altered the code?

Re:CVS, huh?

[penguin_punk]

"Do you OSS folks actually read through every line of source before you build something big like Apache or Squid or SAMBA, just to make sure noone has altered the code?"

No. But I do check the md5 checksums that I get from at least 2 or 3 different sources. Especially with server software like Apache, Squid or SAMBA.

Do you Closed-Sourced folks trust whatever gets shoved down your throat?

Re:CVS, huh?

[Monkeyman334]

First, the bug being in CVS has nothing to do with changing the source code on a hacked machine. If you have root from ANY bug, you can change the source code. No, "OSS folks" do not waste time looking through every bit of source of Apache, Squid, or SAMBA, if they're just downloading and compiling it on a machine that's been compromised. They probably couldn't find malicious code anyway if they don't know the code well. They just run md5 hashes against the ones on the download site. As for developers checking code that they developed themselves or distribute, yes, you must check every line of code and look for vulnerabilites. That is, unless you have some backup to run a diff against that you can trust. As an example, Themes.org had to go through all their code when their server was compromised before they put the site back up.

Re:CVS, huh?

[guido1]

[Rant]

No. But I do check the md5 checksums that I get from at least 2 or 3 different sources.

So here's the funny thing about doing it that way. You're not necessarily any safer by doing that than just getting the binaries.

Why?

Unless you personally diff all the code that has changed since the last release, you don't know what's in there. Sure, you could check, and others can (and likely do), but you don't know until/unless they/you do.

So enjoy your security blanket, but realize that is is only that.

[/Rant]

Re:CVS, huh?

[bokmann]

No, but plenty of open source projects 'sign' their work, which I can then verify with gpg and the public key of the developer(s).

The question then becomes, "Do I trust that person", instead of, "Do I trust that person and every bloody person who just might be able to alter a file in the long chain of responsibility from him compiling it to me installing it."

GPG. Know it. Live it. Love it.

Re:CVS, huh?

[feed_me_cereal]

Unless you personally diff all the code that has changed since the last release, you don't know what's in there. Sure, you could check, and others can (and likely do), but you don't know until/unless they/you do.

The grandparent said he checks at least 2 or 3 sources. This means all the sources would need to have the same hacked copy. That means the attacker would have either had to have nailed the server distributing the copies (and the people there would have had to have been dumb enough to go ahead with it) or by luck have comprimised all of these random servers.

So enjoy your security blanket, but realize that is is only that.

Although the situation I described above is certainly possible, I would say the grandparents method is good security practice and probably a lot more than a mere "security blanket". That is, if I'm correct in my reasoning. If not, I'd appreciate comments.

Re:CVS, huh?

``Do you OSS folks actually read through every line of source before you build something big like Apache or Squid or SAMBA, just to make sure noone has altered the code?''

I am so tired of hearing the suggestion that if I want to make use of the advantages of OSS, I have to personally read the code. This is so obviously beside the point, I have never even actually tried to put it right....

As is demonstrated by this example as well as by countless others, it is enough if one single person on earth is checking the code. Then the news will spread. I have never looked at a single line of the code of cvs, and yet I knew it had to be upgraded. Oh, and while smart closed-source folks are free to find exploits, they have to rely on the mercy of the sowtware manufacturer to plug the leak. While I, not having bothered to change a single line of cvs code, was able to download the patched version practically without delay right after the leak's discovery.

Re:CVS, huh?

[feed_me_cereal]

you sir, are an idiot.
you sir, are an ass (albeit anonymous)

what good does getting the md5s do? so you get your sources from 2 or 3 places

It works when one of the CVS servers you're downloading from gets hacked. Of course it's possible for the distributing server to get hacked too, but I'd hope people are watching it a bit more keenly. If the developers don't have more than one copy of their own code with which to check before submitting their release to the mirrors, then they shouldn't be making OSS software.

This is still much much much much better than doing nothing. You can never be 100% secure. Security is doing all the reasonable things you can to approach 100%.

maybe the transfer from master to mirror mixed up a few bytes.

Then the MD5 sum will be fucked up. What's your point?!

maybe all your downloads from a mirror mixed up a few bytes

In the exact same way ?! if the file is only a megabyte then the chances of this will be slimmer than 1 to 1 million squared! Either way the MD5 sum, since it's independant of the data, will be fucked up.

either way, it doesn't matter how many sources you use to d/l source packages for 'safety'

Maybe if you've never taken a statistics class.

oss needs a better method of s/w distribution. sign packages and their md5 hashes with pgp would be a start.

Um... there are OSS distribution rules? It's up to you to judge the competency of individual projects, as far as security goes.

Oh, and why is this OSS's problem? Why isn't closed-source even MORE vulnerable to this phenomena? OSS developers aren't the only ones who use CVS internally.

Re:CVS, huh?

[feed_me_cereal]

And how are they going to do that? Through a hole in something like CVS??? Couldn't be!

no shit! Don't quote me out of context. I had some more following that. My original quote:

That means the attacker would have either had to have nailed the server distributing the copies (and the people there would have had to have been dumb enough to go ahead with it)

and also...

Although the situation I described above is certainly possible, I would say the grandparents method is good security practice and probably a lot more than a mere "security blanket".

So... I sincerly hope that the people distributing the release:

1. practice better security than a mirror
2. For christs sake, CHECK the release against a safe backup before releasing it!!! And they had better be backing up their code...

and, of course,it's still possible that this could happen. Certainly. I never said it couldn't. That dosn't change the fact that checking multiple sites will probably take care of most of these CVS attacks, since it's a lot easier to hit one random mirror than the main fucking site.

Cripes, it's time to ban C

[phr2]

I looked at the advisory expecting to see the words "buffer overflow", and instead saw "malloc mistake" (same pointer can get freed twice in some circumstances). Both of these amount to the same thing, getting nailed by C's lack of automatic memory protection and garbage collection.

I think it's time to give up on C for most Internet application development, and use languages which eliminate this wide class of bugs. Banning C altogether is of course an overstatement, but C code in an application should be treated like setuid code. There should be as little of it as possible (the occasional optimized inner loop of something, for example), and it needs to be scrutinized very carefully before deployment.

Anyone know what language Subversion is written in?

Re:Cripes, it's time to ban C

[The+Bungi]

Since you can't cause a buffer overrun/overflow in something like Java or .NET, maybe that's a good choice to write stuff in.

Or maybe not - someone will find a way to exploit those and anything alse that catches on.

It's impossible to protect non-trivial software from *everything*. You might as well get on with your life, plan for exploits and how to deal with them. Anything else is just a pipe dream.

Re:Cripes, it's time to ban C

[Xerithane]

I looked at the advisory expecting to see the words "buffer overflow", and instead saw "malloc mistake" (same pointer can get freed twice in some circumstances). Both of these amount to the same thing, getting nailed by C's lack of automatic memory protection and garbage collection.

It's not the language, it's the coder. Just like it's not the car, it's the driver, if someone causes an accident. Replacing every sports car with a Kia isn't going to stop accidents. Educating drivers on good practices is. ...it needs to be scrutinized very carefully before deployment.

Uhm, no shit? I think you should write a book! Seriously, saying that there should be code reviews before software gets deployed? That's an awesome idea, I think I'll start implementing it into my own development.

Again, the problem is not the language, it's the coder. People make mistakes, languages do not (compilers on the other hand). Don't blame a language for operating exactly as it's designed to.

You can do garbage collection in C just fine, with external libraries.

Re:Cripes, it's time to ban C

[kscguru]

Ah, but the phrase that jumped out at me was "global pointer variable" - a synchronization-type problem that could hit just about any language (yes, Java included). Java would probably crash with some sort of exception instead of happily running in an invalid state... but do you really want anyone to remotely crash the server daemon either?

But, banning C is the LAST thing you'd want to do in a case like this. C is absolutely, bar none, the fastest language for slinging raw bytes around (err... ignoring assembly, but it's close) - and that's pretty much what a CVS server (or FTP, or HTTP, or ...) does. Switch over to a "safer" language (Java, Perl, whatever) and the commands to run the connection will be safer, but the server as a whole will suffer - and thus less people will use it.

The best case here would probably be to set up two layers - a Perl wrapper that parses and verifies input before passing it on to a C program that actually does the serving. But this is a server - emphasis on the C core, not the Perl wrapper. The parsing/verify is the special case, while the data transfer is the general case, and so designing for the general case makes the language of choice C.

But getting back to the topic, the bug here isn't a memory management bug. It's a flawed PROGRAM design that RESULTS IN a memory management bug. Global variables are bad in general, and should only be used with due diligence - and here's simply a case where that diligence didn't work.

That's silly

[phr2]

It's like saying that since seat belts and airbags can't prevent every fatal accident, you shouldn't wear them. You might as well get on with your life, plan for fatal car crashes and how to deal with them, because anything else is just a pipe dream.

I'd say part of sensible planning is trying to lower the effect of accidents (or bugs), even if you can't prevent all of them. That means wearing the seat belts in your car, and using array checking and garbage collection in your programs.

Re:That's silly

[smallpaul]

Actually, it's like saying automoviles and airliners cause far too many deaths, so let's stop using them and just walk.

The reason we continue to use automobiles and airliners is because they can get us places that walking cannot practically get us. The original poster admitted that C should be used when it is necessary. But he pointed out that it is used way more often than is necessary at a terrible consequence to our security. He specifically outlined a plan wherein we use C for what it is good for (performance) and use other things for what they are good for (security).

Dropping C because it's susceptible to exploits is dumb, as is replacing it with some other technology that will eventually be hacked anyway.

It isn't that C as a technology was "hacked". It is that C as a technology has a design that makes it more vulnerable than other technologies. Those other technologies will also be hacked but less often. That's a net win even if it doesn't eliminate hacking in total (which is a silly goal in the first place).

Re:Chicken and egg problem?

[Wesley+Everest]

And, of course, the trick would be to hack the official gcc server, put the trojan in the source, wait for a new update (hoping nobody finds the trojan), and then silently remove the trojan. Then, wait again for quite a few new updates (so that nobody would have reason to look at the version that has the trojan in source. After that, some versions would have the trojan and some wouldn't -- any binary that has a hacked binary as its "ancestor" would be hacked, but any one that "skipped a generation" would be clean.

Now, the way to prevent this from happening is to use a compiler other than gcc when compiling gcc. Then, the hackers would have to hack both compilers, which would be a much more significant task.

Are there any really paranoid folks out there that build gcc with the Intel compiler or somesuch? Is it possible to build gcc with another compiler?

Btw, when the russian hackers hacked Microsoft, how do you know they didn't do this to VC++?

About Tradeoffs

[kscguru]

But it's also like saying that fatal accidents are more common when cars are travelling above 40MPH, so we'll add a device to prevent high speed - oops, your house burned down because the fire truck couldn't get there in time? Sorry, hope the decreased risk of an accident was worth it. Or, saying that your seat belt is so heavy that your car only goes half as fast - not such a good deal anymore, is it?

The point is software is about tradeoffs. Take Windows 95, for example. Any time something becomes corrupted, you get a Blue Screen. If MS wanted to prevent the bug from spreading and corrupting anything else, they'd reboot immediately. But people are willing to take the risk of running with a potentially unstable system because there are advantages: the risk of further bugs is small, I'd like to save the document I've been working on the past three hours, or it's just not worth my time to wait through a reboot.

Choosing C is about tradeoffs too. Coding in C means you get a fast language that produces a well-understood output. And you are also very sure that no language vendor is ever going to change the underlying behavior and break your code. Plus, the C source can be compiled and run on practically every OS out there with minimal overhead.

The person who writes the software gets to decide where the software sits on this tradeoff. If you disagree, you are free to write your own server in whatever language you want.

Re:About Tradeoffs

[tshak]

The problem with your comparison is that many programs (esp programs like CVS) will probably run just as fast in Java or C# (faster in some areas, slower in others). Also, as time goes on, Abstract Syntax Machines and Garbage Collection has gotten faster and faster. Also, hardware has gotten faster and cheaper. Therefore, for many types of apps the safety clearly outweighs the [nominal] performance tradeoff (if any).

Re:Yes, blame the language!

[Tom7]

> The SSH exploits could exist regardless of what language.

This is totally wrong. How can you claim this?? Safe languages would NOT have been vulnerable to the integer overflow attacks. The only recent ssh flaw (AFAIK) that was language-neutral was the one where the passwd file was being improperly interpreted on some platforms. The rest would not have been exploitable if sshd were written in Java, SML, O'Caml, or another safe language, period.

My response to the rest of your post can be summed up as: C behaving as it is designed is no consolation if the design is bad, and the design is bad as far as security is concerned. It's true that it's possible (to a certain extent) to grin and bear it, but why would you want to do that??

Agreed. However

[phr2]

A lot of programs are written in C that really don't need to be. CVS is an example. It just doesn't do anything cpu-intensive. It's all intricate control logic--it could have been written as a big shell script without performance suffering too much. All the real work is done by external programs. Even if there are some parts that really need to be written in C, then fine, write those parts in C. Heck, there will even be parts where C isn't fast enough and you have to write in asm. That doesn't make asm appropriate these days for large-scale application writing.

Someone asked what I'd recommend instead of C. I don't know. I don't think there's a One True Language. Lately I'm coding in Python and like it, though it has its own shortcomings. Java is C-like enough to be comfortable for today's C and C++ programmers. I like the Java language but despise the runtime systems that are usually shipped with it. Perl seems like a monstrosity to me (awk with cancer) but with the -T option (taint checking), it, too, saves you from making a lot of bugs that are easy to miss when writing a C program.

If you've ever written setuid code (at least responsibly), you know the feeling of paranoia and vigilance you have to bring to every line of it that you write. I'm very skeptical if you tell me you bring the same paranoia to all the code you write. Of course there's no magic bullet to secure programming, but there are tools available (i.e. languages with fewer exposed sharp edges) that provide various kinds of safety nets that can rescue you a sizeable percentage of the time. It's foolish not to use those tools.

Re:Yes, blame the language!

[Tom7]

> The point is, it will always, always, without exception, rely upon the developer not fucking up.
> If you remove the capacity for pointers, they'll find some other way to exploit the system. There is no such thing as
> security.

This is a pretty extreme position to take, and I think it's impractical. Using more safe languages can make our programs more reliable and more secure, by limiting the ways that programmers can make exploitable bugs. Of course, a language that doesn't allow the developer to make any holes at all, even if he's trying, is not very useful (in a sense ssh itself is a 'hole' that grants access to someone who 'exploits' it with a password). I am not claiming that we should program in these languages, if in fact they exist. But there is a rich middle ground between such a useless language and a language like C that makes it so easy and dangerous to make mistakes. These languages absolutely do make a very popular class of errors (that occur even among the world's best programmers) vanish instantly, and that to me is obviously a step in the right direction.