[UNIX] BSCW Symlink Vulnerability
From: support@securiteam.comDate: 08/27/01
- Previous message: support@securiteam.com: "[UNIX] Sendmail Debugger Vulnerability Leads to Arbitrary Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] BSCW Symlink Vulnerability Message-Id: <20010827193606.A0CED138BF@mail.der-keiler.de> Date: Mon, 27 Aug 2001 21:36:06 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
BSCW Symlink Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://bscw.gmd.de/> BSCW (Basic Support for Cooperative Work) enables
collaboration over the Web. BSCW is a 'shared workspace' system that
supports document upload, event notification, group management and much
more. BSCW follows symbolic links in an insecure manner, allowing
attackers to execute arbitrary commands/programs.
DETAILS
BSCW does not correctly handle symlinks. Instead of detecting them and
avoiding from blindly following them, the program will incorrectly follow
them. Since the program offers users the ability to extract .tar files
into their "data-bag" (private space), symlink following can be exploited
by a malicious user. The attacker needs to create a .tar file that
contains a symlink, pointing to a file he/she wants to read. After this
tar file has been uploaded to the BSCW server and extracted by clicking
on the "extract" menu option, the "data-bag" of the user will contain a
symlink with the privileges of the BSCW data object. Clicking on it will
make the BSCW system follow the symlink and retrieve the target file,
allowing the user to download/view it.
Example:
$ ln -s /etc/passwd testlink
$ tar cvf testlink.tar testlink
After uploading the above file to the BSCW server and extracting it,
clicking on the "testlink" item in your "data-bag" will retrieve the
/etc/passwd file from the server.
An attacker can view any file on a system, as long as the UID, under which
the BSCW system is running, can access it. In most cases, this will be the
same UID as the web server UID (nobody, wwwrun). Since the BSCW files have
the same permission settings a malicious user can access to BSCW data
items.
The early "op_extract" fixes that but leaves a few other exploitable
issues.
Another vulnerability occurs in the standard installation. The standard
installation includes a call to the "zip" tool, the "zip tool is used for
converting .tar files to .zip files. After the "op_extract" patch, you
will not be able to access the symlink, since the new extract function
checks for symlinks after tar is called. But by converting the attacker's
tar file to a .zip file, the "zip" tool extraction will follow the
symlink and pack the file that was targeted by the symlink.
Solution:
The latest patch "untar.py" introduces a wrapper, which looks for symlinks
and seems to fix all symlink vulnerabilities.
You can download the patches and view the installation instructions at
http://bscw.gmd.de/pycXX , where XX is the version of your installed
python package (e.g. http://bscw.gmd.de/pyc20 for python 2.0).
ADDITIONAL INFORMATION
The information has been provided by <mailto:neovatar@wiretap.de>
neovatar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Sendmail Debugger Vulnerability Leads to Arbitrary Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
