Vulnerabilities > CVE-2004-0413 - Remote Integer Overflow vulnerability in Subversion SVN Protocol Parser
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
libsvn_ra_svn in Subversion 1.0.4 trusts the length field of (1) svn://, (2) svn+ssh://, and (3) other svn protocol URL strings, which allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | 5 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200406-07.NASL description The remote host is affected by the vulnerability described in GLSA-200406-07 (Subversion: Remote heap overflow) The svn protocol parser trusts the indicated length of a URI string sent by a client. This allows a client to specify a very long string, thereby causing svnserve to allocate enough memory to hold that string. This may cause a Denial of Service. Alternately, given a string that causes an integer overflow in the variable holding the string length, the server might allocate less memory than required, allowing a heap overflow. This heap overflow may then be exploitable, allowing remote code execution. The attacker does not need read or write access to the Subversion repository being served, since even un-authenticated users can send svn protocol requests. Impact : Ranges from remote Denial of Service to potential arbitrary code execution with privileges of the svnserve process. Workaround : Servers without svnserve running are not vulnerable. Disable svnserve and use DAV for access instead. last seen 2020-06-01 modified 2020-06-02 plugin id 14518 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14518 title GLSA-200406-07 : Subversion: Remote heap overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200406-07. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14518); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0413"); script_xref(name:"GLSA", value:"200406-07"); script_name(english:"GLSA-200406-07 : Subversion: Remote heap overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200406-07 (Subversion: Remote heap overflow) The svn protocol parser trusts the indicated length of a URI string sent by a client. This allows a client to specify a very long string, thereby causing svnserve to allocate enough memory to hold that string. This may cause a Denial of Service. Alternately, given a string that causes an integer overflow in the variable holding the string length, the server might allocate less memory than required, allowing a heap overflow. This heap overflow may then be exploitable, allowing remote code execution. The attacker does not need read or write access to the Subversion repository being served, since even un-authenticated users can send svn protocol requests. Impact : Ranges from remote Denial of Service to potential arbitrary code execution with privileges of the svnserve process. Workaround : Servers without svnserve running are not vulnerable. Disable svnserve and use DAV for access instead." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200406-07" ); script_set_attribute( attribute:"solution", value: "All users should upgrade to the latest version of Subversion. # emerge sync # emerge -pv '>=dev-util/subversion-1.0.4-r1' # emerge '>=dev-util/subversion-1.0.4-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:subversion"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-util/subversion", unaffected:make_list("ge 1.0.4-r1"), vulnerable:make_list("le 1.0.4"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Subversion"); }NASL family Fedora Local Security Checks NASL id FEDORA_2004-165.NASL description A heap overflow vulnerability was discovered in the svn:// protocol handling library, libsvn_ra_svn. If using the svnserve daemon, an unauthenticated client may be able execute arbitrary code as the user the daemon runs as. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0413. This issue does not affect the mod_dav_svn module. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13719 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13719 title Fedora Core 1 : subversion-0.32.1-5 (2004-165) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-165. # include("compat.inc"); if (description) { script_id(13719); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0413"); script_xref(name:"FEDORA", value:"2004-165"); script_name(english:"Fedora Core 1 : subversion-0.32.1-5 (2004-165)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "A heap overflow vulnerability was discovered in the svn:// protocol handling library, libsvn_ra_svn. If using the svnserve daemon, an unauthenticated client may be able execute arbitrary code as the user the daemon runs as. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0413. This issue does not affect the mod_dav_svn module. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-June/000169.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?868076a1" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_dav_svn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/06/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"mod_dav_svn-0.32.1-5")) flag++; if (rpm_check(release:"FC1", reference:"subversion-0.32.1-5")) flag++; if (rpm_check(release:"FC1", reference:"subversion-debuginfo-0.32.1-5")) flag++; if (rpm_check(release:"FC1", reference:"subversion-devel-0.32.1-5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_dav_svn / subversion / subversion-debuginfo / subversion-devel"); }NASL family Misc. NASL id SUBVERSION_1_0_5.NASL description A remote overflow exists in Subversion. svnserver fails to validate svn:// requests resulting in a heap overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity. last seen 2020-06-01 modified 2020-06-02 plugin id 12284 published 2004-06-22 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12284 title Subversion < 1.0.5 svnserver svn:// Protocol Handler Remote Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12284); script_version("1.13"); script_cve_id("CVE-2004-0413"); script_bugtraq_id(10519); script_xref(name:"GLSA", value:"GLSA 200406-07"); script_xref(name:"SuSE", value:"SUSE-SA:2004:018"); script_name(english:"Subversion < 1.0.5 svnserver svn:// Protocol Handler Remote Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote host has an application that is affected by a heap overflow vulnerability." ); script_set_attribute(attribute:"description", value: "A remote overflow exists in Subversion. svnserver fails to validate svn:// requests resulting in a heap overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity." ); script_set_attribute(attribute:"solution", value: "Upgrade to version 1.0.5 or newer." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/06/22"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/06/12"); script_cvs_date("Date: 2018/07/30 15:31:32"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Subversion SVN Protocol Parser Remote Integer Overflow"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencie("subversion_detection.nasl"); script_require_ports("Services/subversion"); exit(0); } # start check # mostly horked from MetaSploit Framework subversion overflow check port = get_kb_item("Services/subversion"); if ( ! port ) port = 3690; if (! get_tcp_port_state(port)) exit(0); dat = string("( 2 ( edit-pipeline ) 24:svn://host/svn/nessusr0x ) "); soc = open_sock_tcp(port); if (!soc) exit(0); r = recv_line(socket:soc, length:1024); if (! r) exit(0); send(socket:soc, data:dat); r = recv_line(socket:soc, length:256); if (! r) exit(0); #display(r); if (egrep(string:r, pattern:".*subversion-1\.0\.[0-4][^0-9].*")) { security_hole(port); } close(soc); exit(0);NASL family Fedora Local Security Checks NASL id FEDORA_2004-166.NASL description A heap overflow vulnerability was discovered in the svn:// protocol handling library, libsvn_ra_svn. If using the svnserve daemon, an unauthenticated client may be able execute arbitrary code as the user the daemon runs as. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0413. This issue does not affect the mod_dav_svn module. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13720 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13720 title Fedora Core 2 : subversion-1.0.4-2 (2004-166) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-166. # include("compat.inc"); if (description) { script_id(13720); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_xref(name:"FEDORA", value:"2004-166"); script_name(english:"Fedora Core 2 : subversion-1.0.4-2 (2004-166)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "A heap overflow vulnerability was discovered in the svn:// protocol handling library, libsvn_ra_svn. If using the svnserve daemon, an unauthenticated client may be able execute arbitrary code as the user the daemon runs as. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0413. This issue does not affect the mod_dav_svn module. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-June/000168.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?03df7ae7" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_dav_svn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion-perl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/06/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"mod_dav_svn-1.0.4-2")) flag++; if (rpm_check(release:"FC2", reference:"subversion-1.0.4-2")) flag++; if (rpm_check(release:"FC2", reference:"subversion-debuginfo-1.0.4-2")) flag++; if (rpm_check(release:"FC2", reference:"subversion-devel-1.0.4-2")) flag++; if (rpm_check(release:"FC2", reference:"subversion-perl-1.0.4-2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_dav_svn / subversion / subversion-debuginfo / subversion-devel / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_SA_2004_018.NASL description The remote host is missing the patch for the advisory SuSE-SA:2004:018 (subversion). Subversion is a version control system like the well known CVS. The subversion code is vulnerable to a remotely exploitable buffer overflow on the heap. The bug appears before any authentication took place. An attacker is able to execute arbitrary code by abusing this vulnerability. There is no temporary workaround known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command last seen 2020-06-01 modified 2020-06-02 plugin id 13834 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13834 title SuSE-SA:2004:018: subversion code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SuSE-SA:2004:018 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(13834); script_version ("1.14"); script_cve_id("CVE-2004-0413"); name["english"] = "SuSE-SA:2004:018: subversion"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch." ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SuSE-SA:2004:018 (subversion). Subversion is a version control system like the well known CVS. The subversion code is vulnerable to a remotely exploitable buffer overflow on the heap. The bug appears before any authentication took place. An attacker is able to execute arbitrary code by abusing this vulnerability. There is no temporary workaround known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/2004_18_subversion.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_end_attributes(); summary["english"] = "Check for the version of the subversion package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"subversion-0.23.0-60", release:"SUSE8.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"subversion-0.17.1-98", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"subversion-0.27.0-209", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"subversion-1.0.0-73.7", release:"SUSE9.1") ) { security_hole(0); exit(0); } if (rpm_exists(rpm:"subversion-", release:"SUSE8.1") || rpm_exists(rpm:"subversion-", release:"SUSE8.2") || rpm_exists(rpm:"subversion-", release:"SUSE9.0") || rpm_exists(rpm:"subversion-", release:"SUSE9.1") ) { set_kb_item(name:"CVE-2004-0413", value:TRUE); }
References
- http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt
- http://www.gentoo.org/security/en/glsa/glsa-200406-07.xml
- http://www.novell.com/linux/security/advisories/2004_18_subversion.html
- http://www.securityfocus.com/advisories/6847
- http://www.securityfocus.com/archive/1/365836
- http://www.securityfocus.com/bid/10519
- https://bugzilla.fedora.us/show_bug.cgi?id=1748
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16396