Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Exploit code reported for CVS Vulnerability<b>

Published: 2004-05-21
Last Updated: 2004-05-22 14:45:26 UTC
by Deborah Hale (Version: 1)
0 comment(s)


Follow-up to May 19th Handlers Diary: The cvs exploit published yesterday has seen used multiple times. PATCH NOW!. The cvs main homepage (cvshome.org) appears to be down. However, you should still be able to obtain patches
from mirrors.





http://isc.sans.org/diary.php?date=2004-05-19



We have received information that exploit code has been has been reported by K-OTik Security. This exploit is a particular concern to Unix admins and could be used to compromise a number of open source projects. It is recommended that you verify signatures. This exploit can affect your system even if you don't run CVS Server. Just using software that is maintained using a compromised server will put your system at risk.



One of the Handler's will be setting up a test server this afternoon to confirm that the code works. Stay tuned for more information.



Gentoo update for CVS



http://secunia.com/advisories/11674/



Open BSD



http://secunia.com/advisories/11677/


This just in from Mike Poor:


In response to seeing the cvs exploits being used in the wild, ISC Handlers George Bakos and Mike Poor put together some simple snort rules to detect the cvs exploits posted at K-Otik. Keep in mind that these are stopgap rules to catch these exploits only, not the vulnerability itself. The exploits are detected by Snort's SHELLCODE rules, but those rules are turned off by default. With the rules below, be sure to change the sid's to match your local.rules numbering. NOTE: these rules will wrap, so eliminate the line feeds when adding them to your local.rules file.

alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Linux)"; flow:to_server,established; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset:0; depth:20; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000000; rev:1; classtype:attempted-admin;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target BSD)"; flow:to_server,established; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000001; rev:1;classtype:attempted-admin;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Solaris)"; flow:to_server,established; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|";offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000002; rev:1;classtype:attempted-admin;)






Deb Hale

Handler On Duty



Keywords:
0 comment(s)
Diary Archives