[NEWS] BitKeeper Remote Shell Command Execution/Local Vulnerability

• Previous message: support@securiteam.com: "[NEWS] Efficient Networks 5861 DSL Router (NMap DoS)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 12 Jan 2003 18:29:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  BitKeeper Remote Shell Command Execution/Local Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.bitkeeper.com/> BitKeeper is a source management software. It
contains a shell argument parsing vulnerability that leads remote attacker
to run arbitrary shell commands on system where BitKeeper listens to HTTP
requests.

DETAILS

Vulnerable systems:
 * BitKeeper version 3.0.x

1. Remote command execution
BitKeeper may be executed in daemon mode then it opens port and listens to
incoming requests. BitKeeper provides remote users with access to project
resources through web interface. It calls external diff binary as a
parameter to shell -c option which is susceptible to shell metacharacter
injection.

2. Locally exploitable race condition
Second vulnerability is in temporary file handling also during calling
external programs.

Piece of strace output:
20495 getpid() = 20495
20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file
or directory)
20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) =
0
20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8

There is race condition vulnerability after BitKeeper stats the file and
before the file is opened. Additionally it is created with insecure
privileges.

Impact:
If BitKeeper is running in daemon mode and listens to incoming requests,
remote attacker can execute arbitrary commands on system with its
privileges. Further, a local attacker can get access to temporary files
that may allow him to take over control of the program.

Vendor Status:
November 12, 2002 Vendor has been contacted
November 12, 2002 First answer
November 27, 2002 Information about pre-release
December 10, 2002 Last email

While coordinating date of publishing this advisory, they stopped
responding to Maurycy's emails.

Exploit:
If BitKeeper is run as stand-alone daemon, link:

http://somehost.com:port/diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c

Should create file named "iwashere" in project root directory.

ADDITIONAL INFORMATION

The information has been provided by <mailto:z33d@isec.pl> Maurycy
Prodeus.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[UNIX] Mambo PHP-Portal Vulnerability (XSS and Command Execution)"
• Previous message: support@securiteam.com: "[NEWS] Efficient Networks 5861 DSL Router (NMap DoS)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]