Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Basic Support for Cooperative Work (BSCW) Input Filtering Flaw Lets Remote Users Execute Arbtrary Shell Commands on the Server
|
Date: Jan 3 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 4.0.6
|
Description: A meta-character input validation error was reported in the Basic Support for Cooperative Work (BSCW) server software. A remote user with an account on the system can execute arbitrary commands on the server.
It is reported that the file format conversion function in BSCW does not properly filter meta-characters from user-supplied input.
The following characters are apparently permitted:
&;^()[]{}
A remote user with an account on the BSCW application can attempt
to convert a file format and specify a malicious file name containing meta characters. This may allow the remote user to execute
arbitrary shell commands on the server with the privileges of the BSCW application.
It is also reported that the default configuration
of BSCW permits self-registration of new users, allowing remote users to obtain accounts on the application. This default feature
may not be desired by some administrators.
|
Impact: A remote user can execute arbitrary shell commands on the server with the privileges of the BSCW server.
|
Solution: The vendor has released a fixed version (BSCW 4.0.6) and recommends that users upgrade to the new release, available at:
http://bscw.gmd.de/Download.html
To
elminate self-registration of remote users, set the MAY_REGISTER directive in your config.py file.
|
Vendor URL: bscw.gmd.de/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (NT)
|
Reported By: SQEHXLLBQUJX@spammotel.com
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 3 Jan 2002 00:13:32 +0100
From: SQEHXLLBQUJX@spammotel.com
Subject: BSCW: Vulnerabilities and Problems
|
------------------------------------------------------------------------
-=\ BSCW Security Issues - Audit report 02 - 7. Sept. 2001 \=-
------------------------------------------------------------------------
BSCW is a groupware system that runs on a webserver. For more
information about BSCW visit the developer website (http://bscw.gmd.de/
and http://www.orbiteam.de).
While auditing the BSCW system, i discovered two more vulnerabilities.
This document explains the vulnerabilities, how i did notice them and
what you can do to fix them.
-----------------------------------------------------------
-=\ Vulnerability no. 1: insecure default configuration \=-
-----------------------------------------------------------
Type:
Insecure default configuration.
Effect:
Gives unwanted people the possibility to
register as user of the BSCW server.
Software affected:
All 3.x versions of BSCW, version 4 not tested, but probably as well.
Severity:
Low risk / Medium risk
Very high risk, if other security issues exists
Solution:
Think.
-=\ Description \=-
Normally the BSCW software is configured to allow self registration of
users. This enables the administrator to register himself as the first
user, after setting up the server. Self registration can normally
be done by accessing:
http://your.bscwserver.url/pub/english.cgi?op=rmail
Although allowing self registration of users can be a wanted
configuration, in most cases this isn't the case. Many BSCW servers
have are targeted to a closed user community. In my opinion the BSCW
system should register the server admin in the install procedure and
should not allow self registration out of the box. If the admins have to
enable the self registration of users by changing a configuration file,
they might think twice about it. The major danger of self
registration is not that you give unwanted users access to your system
and allow them to put files there. You give them access to a complex
script running on your webserver and the possibility to exploit security
holes. I checked for BSCW servers with a popular internet search engine
and was able to self register in quite a lot of them, even on those that
seemed to be there for a closed user community.
You should think twice before setting up self registration, the better
choice is to change the configuration, so that only a couple of
trusted users are allowed to register new users.
Example (line of config.py located in your <bscw-dir>/src/):
MAY_REGISTER = ['joedoe','jane']
Allows the users "joedoe" and "jane" to invite new users into the
system. Note that users classified as admins are allowed to invite new
users also.
-------------------
-=\ Fix \=-
-------------------
No fix for this, as it isn't a real bug. Maybe a changed installation
procedure, without the need to enable self registration, would be a
good idea. If you don't need self registration of users, set the
MAY_REGISTER directive in your config.py file.
--------------------------------------------------------------
-=\ Vulnerability no. 2: shell meta characters not filtered \=-
---------------------------------------------------------------
Type:
Some shell meta characters are not filtered from user input when
calling external programs.
Effect:
Gives malicious a user the possibility to run any shell script he
wants, under the UID of the BSCW software.
Software affected:
All 3.x versions of BSCW running under Unix like OS.
Version 4 not tested (probably vulnerable too. edit: Bug has been fixed in
the 21. Dec. Version 4 release).
Depending on how external programs are called under Windows, a similar
vunerability may exist in BSCW for Windows.
Severity:
Ouch. Very high risk.
Solution:
Change the way external tools are called immediately. If you dont
need and external conversion tool, diable it. Wait for a patch from
GMD/Orbiteam.
-=\ Description \=-
The BSCW system gives the users the possibility to convert files into
other formats (e.g. GIF into JPEG). This is done by calling external
tools. The user can enter the filename of the converted file. Since the
user input is handed as parameter to the external programs, which are
called via a shell, shell meta characters should be filtered out of the
user input. Most of them are filtered by BSCW, but there are a few which
aren't:
&;^()[]{}
The dangerous characters are "&",";","^". I'll explain the
vulnerability, using the conversion of a JPEG to a GIF as example:
After you have set your skill level in your userprofile to "Expert", you
have the ability to convert certain file formats into another format.
BSCW achieves this by calling external helper tools.
Lets say we have a file "test.jpg" in a folder we can access. We click on
the "convert" option. In the following dialog we choose our settings for
the conversion, we select "GIF" and "no encoding". We can enter
the name of the outputfile also, the default is the the name of the file
("test.jpg" in our case). We dont change the name. Hitting the convert
button gives you a file named "test.gif".
Now we enter some shell meta characters as file name:
"'`/\|<>*?&;^()[]{}
And get an output similar like this:
Some text that the conversion wasnt successfully.
/bin/X11/djpeg -gif -outfile /BSCW/Tmp/@8279_1/&;^()[]{}
/BSCW/Tmp/@8279_1/@8279_2
) 2>&1
This is the output of the shell call which the BSCW system did. Looking
at the metachars you can see that "'`\|<>*? are filtered, while &;^()[]{}
are not. The @8279_1 and @8279_2 are internal object reference codes that
BSCW creates. Now we use ;ls; as file name for the conversion (; is the
command separator for shell commands), we get something like:
/bin/X11/djpeg: can't open /BSCW/Tmp/@8558_1/
@8558_2
sh: /BSCW/Tmp/@8558_1/@8558_2: cannot execute
/bin/X11/djpeg -gif -outfile /BSCW/Tmp/@8558_1/;ls;
/BSCW/Tmp/@8558_1/@8558_2
) 2>&1
We executed the "ls" command (output is "/BSCW/@8558_1/@8558_2"). So
there is one file in this temporary directory, which is in fact our
"test.jpg" file. Then we get the "cannot execute" error, since the shell
tries to execute "/BSCW/Tmp/@8558_1/@8558_2" (we separated it in the
commandline by ";").
Now we create our exploit shell script:
echo code executed on webserver
uname -a
We use "test.jpg" as name for this script and upload it on the BSCW
server, setting the MIME type to "jpeg" manually in the upload dialog.
Since the BSCW creates the temp file for conversion without the exec bit
set, we have to execute by calling the shell with the file as argument.
We do this by giving ";sh" as file name for the converted file:
/bin/X11/djpeg: can't open /BSCW/Tmp/@9586_1/
code executed on bscw server:
SunOS marin 5.8 Generic_111848-01 sun4u sparc SUNW,Ultra-4
/bin/X11/djpeg -gif -outfile /BSCW/Tmp/@9586_1/;
sh /BSCW/Tmp/@9586_1/@9586_2
) 2>&1
-------------------
-=\ Fix \=-
-------------------
The configuration for calling external conversion programs are in the
file "config_converters.py", located in the "/src" directory of your BSCW
installation. It contains one entry for each conversion possibility
(gif->jpeg, jpeg->gif, gif->ps ...). Those Entries look like this:
# JPEG -> GIF (0.8)
('image/jpeg', 'image/gif', '0.8',
'/usr/bin/X11/djpeg -gif -outfile %(dest)s %(src)s',
'Colors, if more than 256'),
Change it to:
# JPEG -> GIF (0.8)
('image/jpeg', 'image/gif', '0.8',
'/usr/bin/X11/djpeg -gif -outfile "%(dest)s" "%(src)s"',
'Colors, if more than 256'),
Do this for all the conversion programs. That way parameters are quoted
and not interpreted.
Thomas Seliger
tom[at]wiretap(dot)de
|
|
Go to the Top of This SecurityTracker Archive Page
|
