[NEWS] BitKeeper Remote Shell Command Execution/Local Vulnerability

From: support@securiteam.com
Date: 01/12/03

  • Next message: support@securiteam.com: "[UNIX] Mambo PHP-Portal Vulnerability (XSS and Command Execution)"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 12 Jan 2003 18:29:42 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      BitKeeper Remote Shell Command Execution/Local Vulnerability


     <http://www.bitkeeper.com/> BitKeeper is a source management software. It
    contains a shell argument parsing vulnerability that leads remote attacker
    to run arbitrary shell commands on system where BitKeeper listens to HTTP


    Vulnerable systems:
     * BitKeeper version 3.0.x

    1. Remote command execution
    BitKeeper may be executed in daemon mode then it opens port and listens to
    incoming requests. BitKeeper provides remote users with access to project
    resources through web interface. It calls external diff binary as a
    parameter to shell -c option which is susceptible to shell metacharacter

    2. Locally exploitable race condition
    Second vulnerability is in temporary file handling also during calling
    external programs.

    Piece of strace output:
    20495 getpid() = 20495
    20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file
    or directory)
    20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) =
    20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8

    There is race condition vulnerability after BitKeeper stats the file and
    before the file is opened. Additionally it is created with insecure

    If BitKeeper is running in daemon mode and listens to incoming requests,
    remote attacker can execute arbitrary commands on system with its
    privileges. Further, a local attacker can get access to temporary files
    that may allow him to take over control of the program.

    Vendor Status:
    November 12, 2002 Vendor has been contacted
    November 12, 2002 First answer
    November 27, 2002 Information about pre-release
    December 10, 2002 Last email

    While coordinating date of publishing this advisory, they stopped
    responding to Maurycy's emails.

    If BitKeeper is run as stand-alone daemon, link:


    Should create file named "iwashere" in project root directory.


    The information has been provided by <mailto:z33d@isec.pl> Maurycy


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.