BitKeeper remote shell command execution/local vulnerability

2003-01-13T00:00:00
ID SECURITYVULNS:DOC:3978
Type securityvulns
Reporter Securityvulns
Modified 2003-01-13T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Synopsis: BitKeeper remote shell command execution/local vulnerability Product: BitKeeper (http://www.bitkeeper.com) Version: 3.0.x Author: Maurycy Prodeus <z33d@isec.pl> Date: 11 November 2002

Issue:


BitKeeper is a source management software. It contains a shell argument parsing vulnerability that leads remote attacker to run arbitrary shell commands on system where BitKeeper listens to HTTP requests.

Details:


  1. Remote command execution

BitKeeper may be executed in daemon mode then it opens port and listens to incoming requests. BitKeeper provides remote users with access to project resources through web interface. It calls external diff binary as a parameter to shell -c option which is susceptible to shell metacharacter injection.

  1. Locally exploitable race condition

Second vulnerability is in temporary file handling also during calling external programs.

Piece of strace output:

20495 getpid() = 20495 20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory) 20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0 20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8

There is race condition vulnerability after BitKeeper stats the file and before the file is opened. Additionally it is created with insecure priviledges.

Impact:


If BitKeeper is running in daemon mode and listens to incoming requests, remote attacker can execute arbitrary commands on system with its priviledges. Local attacker can additionaly get access to temporary files which may cause taken over control of the program.

Vendor Status:


November 12, 2002 Vendor has been contacted November 12, 2002 First answer November 27, 2002 Information about pre-release December 10, 2002 Last email

While coordinating date of publishing this advisory, they stop responding to my emails.

Exploit:


If BitKeeper is run as stand-alone daemon, link:

http://somehost.com:port/ diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c

should create file named "iwashere" in project root directory.


Maurycy Prodeus iSEC Security Research http://isec.pl/

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+IBbnC+8U3Z5wpu4RAkM6AKDEeTh1akZ5TfdWkvw2xaHBkgXIRwCglXYQ sjzfB4azJzMu7wJTScSllvg= =O+nl -----END PGP SIGNATURE-----