From s.esser@e-matters.de Mon Jun 14 01:23:18 2004 From: Stefan Esser To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com Date: Sun, 13 Jun 2004 14:44:34 +0200 Subject: [Full-Disclosure] Advisory 10/2004: Chora CVS/SVN Viewer remote vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Chora CVS/SVN Viewer remote vulnerability Release Date: 2004/06/13 Last Modified: 2004/06/13 Author: Stefan Esser [s.esser@e-matters.de] Application: Chora <= 1.2.1 Severity: A vulnerability within Chora allows remote shell command injection Risk: Critical Vendor Status: Vendor has released a bugfixed version. Reference: http://security.e-matters.de/advisories/102004.html Overview: Chora is the Horde Project's CVS/SVN repository viewer. (SVN support only in CVS version) It is used to provide web-based access to repositories. Currently, these features include: * Directory-based views, with a summary of the most recent activity. * View full log history on a single file, with the ability to stick to a single branch. * Request arbritrary differences between versions and branches. These can be viewed in a variety of formats, ranging from raw diff output to human-readable HTML. * Visual branch viewing for a single file, which graphically represents the history of the file with respect to branches from the main trunk of development * Annotation (otherwise known as 'blame') support, which shows which authors are responsible for which portions of a file's contents. During a security audit of Chora a vulnerability within the diff viewing functionality was discovered. This hole allows arbitrary shellcode injection. Combined with PHP's file upload functionality this gives the opportunity to upload arbitrary binaries and to execute them. (In default configurations) Details: Because Chora runs on a number of bigger project's webservers it was audited for the most obvious PHP programming mistakes. This reveales a problem in the diff handling code for CVS and SVN repositores. While the SVN support is only in the CVS and the 3.0 ALPHA version of Chora the CVS code exists since the very first version of Chora. In both cases the diff utility is executed via exec() with several parameters. When the actual shell command is constructed a certain variable (the number of diff context lines) is assumed to be always a number and therefore not properly escaped. Unfourtunately there is nowhere a check within Chora to ensure that the function is only called with a number and therefore it is possible to inject an arbitrary shell command into the command stream. On a default configured server this means a remote attacker is able to use PHP's file upload functionality to upload an arbitrary binary to the /tmp directory (where PHP's temporary files are usually stored) of the server, chmod it to executable and execute it. The nature of this problem allows it, to exploit this bug disguised as usual diff request through a single POST request. Proof of Concept: e-matters is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 12. June 2004 - The Horde project was informed about the vulnerability. Additionally the information was shared with vendor-sec and a few bigger projects running Chora. In the night Horde released Chora 1.2.2 which fixes this issue without notification. The release announcement downplays the vulnerability as minor security fixes. 13. June 2004 - Public Disclosure after realising that Horde has already spreaded the new version (on a weekend @!"$%&). Recommendation: It is strongly recommended to upgrade to the latest version of Chora, because in every default configuration this problem is a serious threat. GPG-Key: http://security.e-matters.de/gpg_key.asc pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC Copyright 2004 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFAzG6Eb31XLTAExLwRAhOSAJ45zJX9rq6ZBPfhIbubblo2Ece+1wCgomKj 3bTXVrEs5LLTAdDqzxTuWOY= =AROL -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html