[VulnWatch] BitKeeper remote shell command execution/local vulnerability

From: Maurycy Prodeus (z33d@isec.pl)
Date: 01/11/03

  • Next message: gobbles@hushmail.com: "[VulnWatch] *ALERT* INCLUDING EXPLOIT: Advisory / Exploit for mpg123"
    Date: Sat, 11 Jan 2003 14:06:40 +0100 (CET)
    From: Maurycy Prodeus <z33d@isec.pl>
    To: vulnwatch@vulnwatch.org, <bugtraq@securityfocus.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Synopsis: BitKeeper remote shell command execution/local vulnerability
    Product: BitKeeper (http://www.bitkeeper.com)
    Version: 3.0.x
    Author: Maurycy Prodeus <z33d@isec.pl>
    Date: 11 November 2002

    Issue:
    - ------

    BitKeeper is a source management software. It contains a shell argument
    parsing vulnerability that leads remote attacker to run arbitrary
    shell commands on system where BitKeeper listens to HTTP requests.

    Details:
    - --------

    1. Remote command execution

    BitKeeper may be executed in daemon mode then it opens port and listens
    to incoming requests. BitKeeper provides remote users with access
    to project resources through web interface. It calls external diff binary
    as a parameter to shell -c option which is susceptible to shell
    metacharacter injection.

    2. Locally exploitable race condition

    Second vulnerability is in temporary file handling also during calling
    external programs.

    Piece of strace output:

    20495 getpid() = 20495
    20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory)
    20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0
    20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8

    There is race condition vulnerability after BitKeeper stats the file and
    before the file is opened. Additionally it is created with insecure
    priviledges.

    Impact:
    - -------

    If BitKeeper is running in daemon mode and listens to incoming requests,
    remote attacker can execute arbitrary commands on system with its
    priviledges. Local attacker can additionaly get access to temporary files
    which may cause taken over control of the program.

    Vendor Status:
    - --------------

    November 12, 2002 Vendor has been contacted
    November 12, 2002 First answer
    November 27, 2002 Information about pre-release
    December 10, 2002 Last email

    While coordinating date of publishing this advisory, they stop responding to
    my emails.

    Exploit:
    - --------

    If BitKeeper is run as stand-alone daemon, link:

    http://somehost.com:port/
    diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c

    should create file named "iwashere" in project root directory.
      

    - --
    Maurycy Prodeus
    iSEC Security Research
    http://isec.pl/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE+IBbnC+8U3Z5wpu4RAkM6AKDEeTh1akZ5TfdWkvw2xaHBkgXIRwCglXYQ
    sjzfB4azJzMu7wJTScSllvg=
    =O+nl
    -----END PGP SIGNATURE-----



    Relevant Pages

    • [NEWS] BitKeeper Remote Shell Command Execution/Local Vulnerability
      ... BitKeeper is a source management software. ... contains a shell argument parsing vulnerability that leads remote attacker ... to run arbitrary shell commands on system where BitKeeper listens to HTTP ... Second vulnerability is in temporary file handling also during calling ...
      (Securiteam)
    • BitKeeper remote shell command execution/local vulnerability
      ... BitKeeper is a source management software. ... parsing vulnerability that leads remote attacker to run arbitrary ... shell commands on system where BitKeeper listens to HTTP requests. ... Second vulnerability is in temporary file handling also during calling ...
      (Bugtraq)