OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: SQEHXLLBQUJXspammotel.com
Date: Wed Aug 22 2001 - 19:56:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    BSCW Security Issues

    [ Vulnerability Type ]
      The BSCW software follows symlinks.

    [ Effect ]
      malicious user can read every file on system that BSCW UID can read.

    [ Software affected ]
      BSCW3.x (only on *ix systems)

    [ Severity ]
      medium risk / high risk

    [ Solution ]
      install patches / updates from http://bscw.gmd.de/pycXX , where XX is
    the version of your python installation.

    DESCRIPTION:

    BSCW is a groupware system that runs on a webserver. For more information
    about BSCW visit the developer website (http://bscw.gmd.de/ and
    http://www.orbiteam.de ).

    While playing around with symlinks and how the BSCW system handles them, i
    noticed that it follows symlinks. Since it offers users the ability to extract
    .tar files into their "data-bag" (private space), symlink following can be
    exploited by a malicious user. To to this he/she needs to create a .tar file
    that contains a symlink, pointing to a file he/she wants to read. After this
    .tar file has been uploaded to the BSCW server and extracted by clicking on
    the "extract" menu option, the "data-bag" of the user contains the symlink as
    a BSCW data object. Clicking on it will make the BSCW system follow the
    symlink and retrieve the target file, so the user is able to download/view
    it.

    Example:

    my_host:/tmp/>ln -s /etc/passwd testlink
    my_host:/tmp/>tar cvf testlink.tar testlink

    After uploading it to the BSCW server and extracting it, you can click on the
    "testlink" item in your "data-bag" and retrieve the /etc/passwd file of the
    server.

    Basically the attacker can view any file on a system, as long as the UID,
    under which the BSCW system is running, could access it. In most cases this
    will be the same UID as the webserver UID (nobody, wwwrun). This can give
    the malicious user access to BSCW data items, he could normally not read, or
    worse, it could be used to retrieve the BSCW password file for cracking other
    user passwords or information gathering for further system penetration.

    The early "op_extract" fixes that but leaves a few other exploitable issues.

    Another vulnerability consists in the standard installation which includes a
    call of "zip" tool when converting .tar files to .zip files. After the
    "op_extract" patch you could not access the symlink, since the new extract
    function checks for symlinks after tar is called. By converting the
    attackers .tar file to a .zip file, zip will follow the symlink and pack
    the file, which was targeted by the link. If you have customized calls
    to external programs (e.g. packer conversion utilities) in your BSCW
    system configuration, you should check if symlink following can be exploited).

    The latest patch "untar.py" introduces a wrapper, which looks for symlinks
    and seem to fix all symlink vulnerabilities.

    You can download the patches and view the installation instructions at
    http://bscw.gmd.de/pycXX , where XX is the version of your installed python
    package (e.g. http://bscw.gmd.de/pyc20 for python 2.0).

    The developers of bscw have done a good job patching the security holes
    within 24h, after i sent them a notice about the vulnerability.

    neovatar
    neovatar(at)wiretap(dot)de
    public key at http://www.wiretap.de/neovatar.pub

    DISCLAIMER:
    im not affiliated with GMD or ORBITEAM or BSCW in any way. Registered
    trademarks and terms in this report belong to their owners.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7hFTBzEyYWk8cQasRAhAiAKCOCYleJnk49KxPDzAht2GPwKmbKgCdGQBq
    iHXuhdS5onO9/JAs97FhrH0=
    =gmh1
    -----END PGP SIGNATURE-----