Synopsis: BitKeeper remote shell command execution/local vulnerability Product: BitKeeper (http://www.bitkeeper.com) Version: 3.0.x Author: Maurycy Prodeus Date: 11 November 2002 Issue: ------ BitKeeper is a source management software. It contains a shell argument parsing vulnerability that leads remote attacker to run arbitrary shell commands on system where BitKeeper listens to HTTP requests. Details: -------- 1. Remote command execution BitKeeper may be executed in daemon mode then it opens port and listens to incoming requests. BitKeeper provides remote users with access to project resources through web interface. It calls external diff binary as a parameter to shell -c option which is susceptible to shell metacharacter injection. 2. Locally exploitable race condition Second vulnerability is in temporary file handling also during calling external programs. Piece of strace output: 20495 getpid() = 20495 20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory) 20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0 20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8 There is race condition vulnerability after BitKeeper stats the file and before the file is opened. Additionally it is created with insecure priviledges. Impact: ------- If BitKeeper is running in daemon mode and listens to incoming requests, remote attacker can execute arbitrary commands on system with its priviledges. Local attacker can additionaly get access to temporary files which may cause taken over control of the program. Vendor Status: -------------- November 12, 2002 Vendor has been contacted November 12, 2002 First answer November 27, 2002 Information about pre-release December 10, 2002 Last email While coordinating date of publishing this advisory, they stop responding to my emails. Exploit: -------- If BitKeeper is run as stand-alone daemon, link: http://somehost.com:port/ diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c should create file named "iwashere" in project root directory.