redpig.dataspill.org: Multiple vulnerabilities in cscope

»Multiple vulnerabilities have been discovered in cscope that allow for the execution of arbitrary code.

Background
From cscope.sourceforge.net: cscope is a developer's tool for browsing source code. It has an impeccable Unix pedigree, having been originally developed at Bell Labs back in the days of the PDP-11. Cscope was part of the official AT&T Unix distribution for many years, and has been used to manage projects involving 20 million lines of code!
Impact
A successful exploit would resulting the execution of arbitrary code immediately after executing cscope. In some environments, cscope may be executed automatically on start up of the user's text editor or IDE.
Workaround
When using cscope,
  • ensure that there are no unexpected `cscope.files'.
  • ensure that any source trees do not have full paths that exceed 250 characters or look particularly out of place.
  • ensure that any source trees do not have directory or file names with embedded newline or `$' characters.
Note: as of this posting, most packaged versions of cscope, and the source repository, should be patched. Ensure that your version of cscope is not out of date.
Discussion
Multiple exploitable stack buffer overflows have been found in cscope due to the unchecked use of strcpy() and *scanf():

Use of fscanf() and sscanf() without enforced field maximum widths during file list parsing

This results in an exploitable condition which may be triggered in a number of ways:
  • specially crafted cscope.files may be placed in a shared working directory
  • specially crafted directory and file names in a source tree, or archive.

In the first case, an attacker may leave a `cscope.files' file in a directory where the victim is likely to run cscope. This is particularly dangerous because some text editors will automatically execute it cscope on start-up.
In the second case, an attacker may modify a shared source tree or supply a prepackaged source archive with specially crafted file and directory names. The victim would then need to run cscope over a list of this source tree's files. If the resulting list contained any specially crafted paths, and it would result in an overflow condition. As with the first case, some editors will automatically generate this file list and execute cscope on it. This would result in the attack occurring in the background, unbeknownst to the victim.
In both cases, the resulting file list will have a path to a file that exceeds 250 characters. E.g.,
 $ bash -c 'D=$(ruby -e "print \"A\" * 255;"); for i in $(seq 1 15); do
            mkdir $D; cd $D; touch A; done;'
 $ find ./ -type f > cscope.files
 $ cscope
Multiple unchecked uses of strcpy() during path variable expansion

cscope allows users to specify limited arguments in addition to files in the `cscope.files' file list. When using the `-I' option, the subsequent paths will have variable expansion performed prior to use. The '~' character is expanded to the caller's `HOME' environment variable, and any occurrence of the `$' character followed by a string will be expanded to the value of that particular environment variable. e.g., "-I $SHELL" may become "-I /bin/bash". These cases result in two separate crash conditions due to the unchecked use of strcpy(). Tilde expansion may result in a stack buffer overflow if and only if the victim's `HOME' environment variable is changed to exceed the maximum allocated space for expansion:
 $ export HOME=$(ruby -e "print 'A'*2048")
 $ echo "-I~/foo.c" > cscope.files
 $ cscope
However, general environment variable expansion is much more dangerous. This attack allows a similar attack to the *scanf() attacks which can be triggered using similar mechanisms. A specially crafted file list will result in the execution of arbitrary code. The difference is that maximum field width checking does not mitigate this attack. The specially crafted directory and file names may contain environment variable references which expand to much longer strings than the environment variable's name. Because of this, more knowledge of the victim's environment is required in order to create an effective exploit. However, some assumptions can be made about common environment variables, such as `SHELL' and `LS_COLORS', that make this attack viable.
 # This directory may exist in a given source tree:
 $ mkdir '^J-I$LS_COLORS'
 $ touch '^J-I$LS_COLORS/payload_here'

 # The end user may run this to build a filelist
 $ find ./ -type -f > cscope.files
 $ cscope

(Note, ^J represents the key combination "Ctrl+j".)
Unchecked use of strcpy() during command line argument parsing

This results in a command line based overflow attack. The impact of this attack is minimal given that cscope is not normally run setuid, and the attacker would need to have some control over the call to cscope. The overflow occurs when cscope strcpy()s the `reffile` argument value over the statically allocated stack buffer for `reffile'.
 $ cscope -f `ruby -e 'print "A"*500'`
References
Credit
This work was sponsored by my employer.

0 comments:
This page does not necessarily reflect the views of my employer or anyone I'm associated with.
redpig@dataspill.org