BitKeeper remote shell command execution/local vulnerability

From: Maurycy Prodeus (z33dat_private)
Date: Sat Jan 11 2003 - 05:06:40 PST

Next message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2003-SCO.2] UnixWare 7.1.1 : multiple vulnerabilities in BIND (CERT CA-2002-31)"

Previous message: Kaspar Brand: "Re: Opentype font file causes Windows to restart."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:    BitKeeper remote shell command execution/local vulnerability
Product:     BitKeeper (http://www.bitkeeper.com)
Version:     3.0.x
Author:      Maurycy Prodeus <z33dat_private>
Date:        11 November 2002

Issue:
- ------

BitKeeper is a source management software. It contains a shell argument 
parsing vulnerability that leads remote attacker to run arbitrary 
shell commands on system where BitKeeper listens to HTTP requests.


Details:
- --------

1. Remote command execution

BitKeeper may be executed in daemon mode then it opens port and listens 
to incoming requests. BitKeeper provides remote users with access
to project resources through web interface. It calls external diff binary
as a parameter to shell -c option which is susceptible to shell 
metacharacter injection.

2. Locally exploitable race condition

Second vulnerability is in temporary file handling also during calling
external programs.

Piece of strace output:

20495 getpid()                          = 20495
20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory)
20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0
20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8

There is race condition vulnerability after BitKeeper stats the file and 
before the file is opened. Additionally it is created with insecure 
priviledges.

Impact:
- -------

If BitKeeper is running in daemon mode and listens to incoming requests, 
remote attacker can execute arbitrary commands on system with its 
priviledges. Local attacker can additionaly get access to temporary files 
which may cause taken over control of the program.


Vendor Status:
- --------------

November 12, 2002        Vendor has been contacted
November 12, 2002	 First answer
November 27, 2002        Information about pre-release
December 10, 2002        Last email 

While coordinating date of publishing this advisory, they stop responding to 
my emails.

Exploit:
- --------

If BitKeeper is run as stand-alone daemon, link:

http://somehost.com:port/
diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c

should create file named "iwashere" in project root directory.
  

- -- 
Maurycy Prodeus
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+IBbnC+8U3Z5wpu4RAkM6AKDEeTh1akZ5TfdWkvw2xaHBkgXIRwCglXYQ
sjzfB4azJzMu7wJTScSllvg=
=O+nl
-----END PGP SIGNATURE-----

Next message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2003-SCO.2] UnixWare 7.1.1 : multiple vulnerabilities in BIND (CERT CA-2002-31)"
Previous message: Kaspar Brand: "Re: Opentype font file causes Windows to restart."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 15 2003 - 15:38:06 PST