Date: Sun, 2 May 2004 17:37:04 +0200
From: Stefan Esser <s.esser@e-matters.de>
To: vendor-sec@lst.de, joe@manyfish.co.uk, gstein@apache.org,
    brian@collab.net
Cc: s.esser@e-matters.de
Subject: [vendor-sec] CVS Pserver / Subversion / Neon remote vulnerabilities
Parts/Attachments:
   1 Shown    77 lines  Text
   2   OK     21 lines  Text
   3   OK     12 lines  Text
   4   OK     12 lines  Text
----------------------------------------

Hi to everyone addressed,

today I have to inform you about 3 vulnerabilities which are
from my point of view a serious threat.

The 3 vulnerabilities in question are:

1) CVS 1.12.7 (and older) pserver remote heap overflow

      Malformed "Entry" Lines in combination with Is-modified and Unchanged
      can be used to overflow malloc()ed memory. This was proofen to be
      exploitable.

2) Subversion 1.0.1 (and older) remote stack overflow

      A malicious revision date in a DAV/2 REPORT query, or a malicious
      revision date in a subversion get-dated-rev request can overflow
      the stack because of unsafe usage of sscanf(). 


      THIS is even exploitable with several stack overflow protectors,
      because overflowing one of the function parameters can be used
      to store an arbitrary value of 32-64 bits to any memory position
      within one of the called subfunctions. So it is f.e. possible
      to overwrite ONLY stored eip of the inner subfunction, before
      the stackoverflow is detected... 
      
      This was also proofen to be exploitable through DAV/2 REPORT
      but due to the nature of utf-8 strings it is somewhat harder to
      exploit.
      
3) Neon 0.24.5 (and older) remote stack overflow

      This vulnerability was NOT researched yet (because of lack of time)
      but it was found the same day as subversion and here also sscanf()
      is used in an unsafe manner. This will result in an overflow of
      a static heap varibale. I havent checked the layout yet. But I guess
      somehow it is exploitable.

Attached are fixes for these vulnerabilities. I hope the CVS, SVN and NEON
vendors can check their validity fast. Especially the CVS patch should be
checked. I believe it is okay but maybe Derek Price can verify that it does
not kill functionallity.

Due to the fact that CVS and NEON/SVN are meanwhile widely used I want to
contact some big CVS/SVN repositories before going public with this. f.e.
Samba just switched from CVS to SVN but still runs both afaik. This means
they are doubly vulnerable. I would like to know from you, who should get
prior notified.

Additionally I suggest these fixes do not go into publicy reachable CVS/SVN
trees before we have not notified some big repositories. Especially the 
CVS pserver bug could be known in the blackhat community for 1-2 years. At
least I heard from a trusted source that there is a pserver exploit. I have
no idea if this the bug I just found but I strongly believe the source is
not lieing. 

Oh well and it would also be good if all three things can be released at 
the same time. Especially neon+svn would be handy because they are connected
anyway...

Yours,
Stefan Esser