BitKeeper is a source management software. It contains a shell argument
parsing vulnerability that leads remote attacker to run arbitrary
shell commands on system where BitKeeper listens to HTTP requests.
Details:
Remote command execution
BitKeeper may be executed in daemon mode then it opens port and listens
to incoming requests. BitKeeper provides remote users with access
to project resources through web interface. It calls external diff binary
as a parameter to shell -c option which is susceptible to shell
metacharacter injection.
Locally exploitable race condition
Second vulnerability is in temporary file handling also during calling
external programs.
Piece of strace output:
20495 getpid() = 20495
20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory)
20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0
20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8
There is race condition vulnerability after BitKeeper stats the file and
before the file is opened. Additionally it is created with insecure
priviledges.
Impact:
If BitKeeper is running in daemon mode and listens to incoming requests,
remote attacker can execute arbitrary commands on system with its
priviledges. Local attacker can additionaly get access to temporary files
which may cause taken over control of the program.
Vendor Status:
November 12, 2002 Vendor has been contacted
November 12, 2002 First answer
November 27, 2002 Information about pre-release
December 10, 2002 Last email
While coordinating date of publishing this advisory, they stop responding to
my emails.
{"id": "SECURITYVULNS:DOC:3978", "bulletinFamily": "software", "title": "BitKeeper remote shell command execution/local vulnerability", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nSynopsis: BitKeeper remote shell command execution/local vulnerability\r\nProduct: BitKeeper (http://www.bitkeeper.com)\r\nVersion: 3.0.x\r\nAuthor: Maurycy Prodeus <z33d@isec.pl>\r\nDate: 11 November 2002\r\n\r\nIssue:\r\n- ------\r\n\r\nBitKeeper is a source management software. It contains a shell argument \r\nparsing vulnerability that leads remote attacker to run arbitrary \r\nshell commands on system where BitKeeper listens to HTTP requests.\r\n\r\n\r\nDetails:\r\n- --------\r\n\r\n1. Remote command execution\r\n\r\nBitKeeper may be executed in daemon mode then it opens port and listens \r\nto incoming requests. BitKeeper provides remote users with access\r\nto project resources through web interface. It calls external diff binary\r\nas a parameter to shell -c option which is susceptible to shell \r\nmetacharacter injection.\r\n\r\n2. Locally exploitable race condition\r\n\r\nSecond vulnerability is in temporary file handling also during calling\r\nexternal programs.\r\n\r\nPiece of strace output:\r\n\r\n20495 getpid() = 20495\r\n20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory)\r\n20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0\r\n20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8\r\n\r\nThere is race condition vulnerability after BitKeeper stats the file and \r\nbefore the file is opened. Additionally it is created with insecure \r\npriviledges.\r\n\r\nImpact:\r\n- -------\r\n\r\nIf BitKeeper is running in daemon mode and listens to incoming requests, \r\nremote attacker can execute arbitrary commands on system with its \r\npriviledges. Local attacker can additionaly get access to temporary files \r\nwhich may cause taken over control of the program.\r\n\r\n\r\nVendor Status:\r\n- --------------\r\n\r\nNovember 12, 2002 Vendor has been contacted\r\nNovember 12, 2002 First answer\r\nNovember 27, 2002 Information about pre-release\r\nDecember 10, 2002 Last email \r\n\r\nWhile coordinating date of publishing this advisory, they stop responding to \r\nmy emails.\r\n\r\nExploit:\r\n- --------\r\n\r\nIf BitKeeper is run as stand-alone daemon, link:\r\n\r\nhttp://somehost.com:port/\r\ndiffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c\r\n\r\nshould create file named "iwashere" in project root directory.\r\n \r\n\r\n- -- \r\nMaurycy Prodeus\r\niSEC Security Research\r\nhttp://isec.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 (GNU/Linux)\r\n\r\niD8DBQE+IBbnC+8U3Z5wpu4RAkM6AKDEeTh1akZ5TfdWkvw2xaHBkgXIRwCglXYQ\r\nsjzfB4azJzMu7wJTScSllvg=\r\n=O+nl\r\n-----END PGP SIGNATURE-----\r\n\r\n", "published": "2003-01-13T00:00:00", "modified": "2003-01-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3978", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:06", "edition": 1, "viewCount": 2, "enchantments": {"score": {"value": 3.5, "vector": "NONE", "modified": "2018-08-31T11:10:06", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB3023167", "KB2880833", "KB2874216", "KB3209587", "KB2788321", "KB981401", "KB955430"]}, {"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_D887B3D9736611EAB81A001CC0382B2F.NASL", "FREEBSD_PKG_090763F6703011EA93DD080027846A02.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "freebsd", "idList": ["D887B3D9-7366-11EA-B81A-001CC0382B2F"]}, {"type": "zdt", "idList": ["1337DAY-ID-34159", "1337DAY-ID-34153", "1337DAY-ID-34161", "1337DAY-ID-34158", "1337DAY-ID-34154", "1337DAY-ID-34157"]}], "modified": "2018-08-31T11:10:06", "rev": 2}, "vulnersScore": 3.5}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **61[.]216.43.128** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nASN 3462: (First IP 61.216.0.0, Last IP 61.216.112.255).\nASN Name \"HINET\" and Organisation \"Data Communication Business Group\".\nASN hosts 184395 domains.\nGEO IP information: City \"Taichung\", Country \"Taiwan\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:AAA4C687-F4C5-3978-B6F2-14AE753E7900", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 61.216.43.128", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **93[.]90.193.146** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **malware**.\nASN 8560: (First IP 93.90.192.0, Last IP 93.90.207.255).\nASN Name \"ONEANDONEAS\" and Organisation \"Brauerstrasse 48\".\nASN hosts 11258187 domains.\nGEO IP information: City \"\", Country \"United Kingdom\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:700AB06C-7008-3978-B36B-E6CEB14A3F07", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 93.90.193.146", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **96[.]126.105.219** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2019-10-27T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **tor_node**.\nASN 63949: (First IP 96.126.96.0, Last IP 96.126.127.255).\nASN Name \"LINODEAP\" and Organisation \"Linode LLC\".\nThis IP is a part of \"**linode**\" address pools.\nASN hosts 1694857 domains.\nGEO IP information: City \"Cedar Knolls\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-10-27T00:00:00", "id": "RST:96D5701B-0744-3978-9CC7-5FF645DAD8B9", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 96.126.105.219", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **84[.]33.191.238** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **46**.\n First seen: 2021-01-20T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **shellprobe**.\nASN 35612: (First IP 84.33.64.0, Last IP 84.33.191.255).\nASN Name \"NGIAS\" and Organisation \"\".\nASN hosts 1691 domains.\nGEO IP information: City \"Collecchio\", Country \"Italy\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-20T00:00:00", "id": "RST:6C29356D-EA80-3978-8C68-26ED5AAC0C0E", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 84.33.191.238", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **93[.]116.226.60** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nASN 8926: (First IP 93.116.0.0, Last IP 93.116.255.255).\nASN Name \"MOLDTELECOMAS\" and Organisation \"Moldtelecom Autonomous System\".\nASN hosts 766 domains.\nGEO IP information: City \"Chisinau\", Country \"Republic of Moldova\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:A9839DEE-B4E6-3978-8289-BEE82142BC83", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 93.116.226.60", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **83[.]233.194.231** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **5**.\n First seen: 2020-07-23T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nASN 29518: (First IP 83.233.0.0, Last IP 83.233.255.255).\nASN Name \"BREDBAND2\" and Organisation \"\".\nASN hosts 5263 domains.\nGEO IP information: City \"Taevelsas\", Country \"Sweden\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-23T00:00:00", "id": "RST:211EE4A5-5843-3978-9EA7-7FFDBB092EA5", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 83.233.194.231", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **94[.]130.183.13** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2019-10-27T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **tor_node**.\nASN 24940: (First IP 94.130.0.0, Last IP 94.130.255.255).\nASN Name \"HETZNERAS\" and Organisation \"\".\nThis IP is a part of \"**hetzner**\" address pools.\nASN hosts 5118196 domains.\nGEO IP information: City \"\", Country \"Germany\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-10-27T00:00:00", "id": "RST:776E5CEB-0280-3978-9ED0-F422DD4D2084", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 94.130.183.13", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **94[.]231.124.252** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **5**.\n First seen: 2020-07-27T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nASN 56420: (First IP 94.231.115.0, Last IP 94.231.126.255).\nASN Name \"RYAZANAS\" and Organisation \"\".\nASN hosts 180 domains.\nGEO IP information: City \"Ryazan\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-27T00:00:00", "id": "RST:8F7BDBCF-66E9-3978-8648-1E6FC9C9C115", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 94.231.124.252", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **223[.]205.119.54** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **malware**.\nASN 45629: (First IP 223.204.238.34, Last IP 223.206.255.255).\nASN Name \"JASTELNETWORKTHAP\" and Organisation \"JasTel Network International Gateway\".\nASN hosts 1653 domains.\nGEO IP information: City \"Ayutthaya\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:AD55B6B6-3978-3CB2-A32D-24E80F86A94D", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 223.205.119.54", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **210[.]190.64.68** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nASN 4713: (First IP 210.190.0.0, Last IP 210.190.255.255).\nASN Name \"OCN\" and Organisation \"NTT Communications Corporation\".\nASN hosts 114019 domains.\nGEO IP information: City \"\", Country \"Japan\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:7B207D40-1AD3-3978-AD72-ACF2609D1FA3", "href": "", "published": "2021-01-24T00:00:00", "title": "RST Threat feed. IOC: 210.190.64.68", "type": "rst", "cvss": {}}]}
