CVSTrac远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112114 漏洞类型 SQL注入
发布时间 2007-01-29 更新时间 2007-01-29
CVE编号 CVE-2007-0347 CNNVD-ID CNNVD-200701-503
漏洞平台 CGI CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/3223
https://www.securityfocus.com/bid/22296
https://cxsecurity.com/issue/WLB-2007010107
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-503
|漏洞详情
CVSTrac是一个为CVS设计的补丁和错误跟踪系统。CVSTrac在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞执行拒绝服务攻击。CVSTrac的format.c文件中is_eow()函数没有检查用户提供字符串的first(!)字符中的End-Of-Word终止字符,而是迭代字符串,这可能允许跳过单个嵌入的问号。然后is_repository_file()函数假设文件名字符串中不会包含单个问号,因此可能出现SQL转义问题。但由于is_eow()处理空格的方式,尽管攻击者可以执行SQL注入攻击,但仅限于包含有能够超过isspace(3)函数之后字符的SQL查询。如果攻击者在提交的commit消息、凭据或Wiki页面中包含有特殊的文本结构的话,就可能导致拒绝服务,具体取决于所请求的页面。
|漏洞EXP
##
##  cvstrack-resurrect.pl -- CVSTrac Post-Attack Database Resurrection
##  Copyright (c) 2007 Ralf S. Engelschall <rse@engelschall.com>
##

use DBI;           # requires OpenPKG perl-dbi
use DBD::SQLite;   # requires OpenPKG perl-dbi, perl-dbi::with_dbd_sqlite=yes
use DBIx::Simple;  # requires OpenPKG perl-dbix
use Date::Format;  # requires OpenPKG perl-time

my $db_file = $ARGV[0];

my $db = DBIx::Simple->connect(
   "dbi:SQLite:dbname=$db_file", "", "",
   { RaiseError => 0, AutoCommit => 0 }
);

my $eow = q{\x00\s.,:;?!)"'};

sub fixup {
   my ($data) = @_;
   if ($$data =~ m:/[^$eow]*/[^$eow]*'[^$eow]+:s) {
       $$data =~ s:(/[^$eow]*/[^$eow]*)('[^$eow]+):$1 $2:sg;
       return 1;
   }
   return 0;
}

foreach my $rec ($db->query("SELECT name, invtime, text FROM wiki")->hashes()) {
   if (&fixup(\$rec->{"text"})) {
       printf("++ adjusting Wiki page \"%s\" as of %s\n",
           $rec->{"name"}, time2str("%Y-%m-%d %H:%M:%S", -$rec->{"invtime"}));
       $db->query("UPDATE wiki SET text = ? WHERE name = ? AND invtime = ?",
           $rec->{"text"}, $rec->{"name"}, $rec->{"invtime"});
   }
}
foreach my $rec ($db->query("SELECT tn, description, remarks FROM ticket")->hashes()) {
   if (&fixup(\$rec->{"description"}) or &fixup(\$rec->{"remarks"})) {
       printf("++ adjusting ticket #%d\n",
           $rec->{"tn"});
       $db->query("UPDATE ticket SET description = ?, remarks = ? WHERE tn = ?",
           $rec->{"description"}, $rec->{"remarks"}, $rec->{"tn"});
   }
}
foreach my $rec ($db->query("SELECT tn, chngtime, oldval, newval FROM tktchng")->hashes()) {
   if (&fixup(\$rec->{"oldval"}) or &fixup(\$rec->{"newval"})) {
       printf("++ adjusting ticket [%d] change as of %s\n",
           $rec->{"tn"}, time2str("%Y-%m-%d %H:%M:%S", $rec->{"chngtime"}));
       $db->query("UPDATE tktchng SET oldval = ?, newval = ? WHERE tn = ? AND chngtime = ?",
           $rec->{"oldval"}, $rec->{"newval"}, $rec->{"tn"}, $rec->{"chngtime"});
   }
}
foreach my $rec ($db->query("SELECT cn, message FROM chng")->hashes()) {
   if (&fixup(\$rec->{"message"})) {
       printf("++ adjusting change [%d]\n",
           $rec->{"cn"});
       $db->query("UPDATE chng SET message = ? WHERE cn = ?",
           $rec->{"message"}, $rec->{"cn"});
   }
}

$db->commit();
$db->disconnect();

# milw0rm.com [2007-01-29]
|受影响的产品
OpenPKG OpenPKG E1.0-Solid CVSTrac CVSTrac 2.0
|参考资料

来源:BUGTRAQ
名称:20070129CVSTrac2.0.0DenialofService(DoS)vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/458455/100/0/threaded
来源:VUPEN
名称:ADV-2007-0398
链接:http://www.frsirt.com/english/advisories/2007/0398
来源:MISC
链接:http://www.cvstrac.org/cvstrac/tktview?tn=683
来源:www.cvstrac.org
链接:http://www.cvstrac.org/cvstrac/chngview?cn=850
来源:FULLDISC
名称:20070129CVSTrac2.0.0DenialofService(DoS)vulnerability
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/052058.html
来源:OPENPKG
名称:OpenPKG-SA-2007.008
链接:http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.008.html
来源:OSVDB
名称:31935
链接:http://osvdb.org/31935
来源:BID
名称:22296
链接:http://www.securityfocus.com/bid/22296
来源:SREASON
名称:2192
链接:http://securityreason.com/securityalert/2192
来源:SECUNIA
名称:23940
链接:http://secunia.com/advisories/23940