6432173 2001-04-30 16:07 -0400 /204 rader/ @stake advisories <advisories@ATSTAKE.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-30 23:03 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: advisories@ATSTAKE.COM
Mottagare: Bugtraq (import) <16856>
Ärende: @stake Security Advisory: Remote Vulnerabilities in Bugzilla
------------------------------------------------------------
(A043001-1)
From: "@stake advisories" <advisories@ATSTAKE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AEDC603.80901@atstake.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Remote Vulnerabilities in Bugzilla
Release Date: 04/30/2001
Application: Bugzilla (2.10)
Platform: Unix or any other platform supporting perl CGI scripts and
MySQL (most often Unix+Apache)
Severity: Remote users could execute arbitrary commands as the web
server user, view unauthorized information.
Authors: Dave Aitel [daitel@atstake.com],
Andrew Danforth [acd@atstake.com]
Vendor Status: Vendor has fixed version
CVE Candidate: CAN-2001-0329, CAN-2001-0330
Reference: www.atstake.com/research/advisories/2001/a043001-1.txt
Executive Summary:
Bugzilla is a web-based bug (and enhancement) tracking engine built
over MySQL. It's often used for distributed OpenSource development,
but is used by corporations (both internally and externally) as
well. A bug in Bugzilla allows remote users who have registered with
shell characters in their email addresses to execute commands on the
web server as an unprivileged user.
Overview:
The attack is to register as a user named
"|somecommand;@yourdomain.com" (root access at yourdomain.com _may_
be required.) Then submit a bug.
It is prudent to segment Bugzilla (or otherwise interactive
web sites) from code repository and download sites. This would prevent
this, or future bugs from compromising the source tree or distribution
binaries of an OpenSource or collaborative project.
Detailed Description:
Perl's system call acts differently based on the type of argument
given; if it's a list, it takes the first element as the program and
the rest as the arguments. If the argument is a scalar, it feeds it
thru sh for parsing. The Bugzilla guys got it right for one of the
system() calls (see below), but the rest are broken.
- - --- output from some grepping (greppage, greps?) ---
Broken (scalars):
post_bug.cgi:system("./processmail $id $::COOKIE{'Bugzilla_login'}");
process_bug.cgi: system("./processmail $num $::FORM{'who'}");
process_bug.cgi: system("./processmail $k $::FORM{'who'}");
Not Broken (list):
process_bug.cgi: system("./processmail", "-forcecc", $origCcString,
$id, $::FORM{'who'});
A similar vulnerability is described at
http://packetstorm.securify.com/0005-exploits/bugzilla.txt
Additionally, it is possible to obtain the Bugzilla global
configuration code by pointing a web browser at
http://bug.zilla.site/globals.pl. The conf file contains some
site-specific configuration directives such as paths and global
variables, the juiciest of which are the database username and
password.
This brings up an typical problem with perly web apps. Programmers
often define globals and configuration info in modules or files
containing bits of perl code, and 'use' or 'require' them in their
cgi. Typically, the perl scripts are named foo.cgi so the web server
configuration doesn't need to be modified (ala AddHandler cgi-script
.pl). The modules and such retain .pl or .pm extensions, so the web
server feeds them to a requestor as plain text.
Solutions:
If you can you should upgrade to the latest version of Bugzilla 2.12
which fixes these problems.
As a temporary solution, all Bugzilla system() calls should be
modified to pass arguments as an array rather than a scalar.
Also, on line 469 of defparams.pl, replace the regular expression
definition
q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:
with
q:^[\w-\./]+@[A-Za-z\d-\.]+$:
Please note that the new regular expression will not match all valid RFC
822 email addresses. A perl regex that does just that can be found at
<http://www.perl.com/CPAN/authors/Tom_Christiansen/scripts/ckaddr.gz>, but
Integrating it with Bugzilla is beyond the scope of this advisory.
Scripts:
This is a script that should fix the system call bugs - run it in the
bugzilla directory:
<cut here>
#!/usr/bin/perl
#
# bugzilla system() fixer -- run in bugzilla CGI directory
#
# Andrew Danforth <acd@atstake.com>, 2001
# note, grep and ed must be in path. Tested on Debian Linux.
foreach(`grep -n system\\( *.cgi`) {
my ($file, $line, $code) = split(/:/, $_, 3);
next if ($code =~ /,/);
if ($code !~ /system\(("[^"]+")\)/) {
print "couldn't find arguments to system for $file:$line\n";
next;
}
print "changing line $line for $file\n";
open ED, "|ed -s $file";
print ED $line, "c\n", $`, "system(", join('","', split(' ',
$1)), ")", $', ".\nw\nq\n";
close ED;
}
<end cut>
Vendor Response:
Vendor has released a new release, Bugzilla 2.12, that addresses these
problems:
http://ftp.mozilla.org/pub/webtools/bugzilla-2.12.tar.gz
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2001-0329 - shell metacharacters in email addresses
CAN-2001-0330 - sensitive information from globals.pl
|-----------------------------------------------------------------------
@stake Advisory Announcement mailing list:
If you wish to receive announcement messages when new @stake
advisories are released you can subscribe to our advisory-announce
mailing list. To subscribe to advisory-announce@lists.atstake.com,
send an (empty) message to:
advisory-announce-subscribe@lists.atstake.com.
Last 5 @stake Advisories
04.16.01 iPlanet Web Server Enterprise Edition 4.0, 4.1 Response
Header Overflow
http://www.atstake.com/research/advisories/2001/a041601-1.txt
04.13.01
Netscape SmartDownload Overflow
http://www.atstake.com/research/advisories/2001/a041301-1.txt
04.09.01
Windows PGP (Pretty Good Privacy) ASCII Armor Parser Vulnerability
http://www.atstake.com/research/advisories/2001/a040901-1.txt
04.03.01
Multiple Information Disclosure Issues with G6 FTP Server
http://www.atstake.com/research/advisories/2001/a040301-1.txt
03.07.01
Netscape Directory Server Buffer Overflow
http://www.atstake.com/research/advisories/2001/a030701-1.txt
Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2001 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOu2/GVESXwDtLdMhEQLx6QCglPSOXY+xJ0gFx7ijs/FbDBHDS18AoLuP
ElUuwZrUdtHRFj6alnuh6Htg
=QaAZ
-----END PGP SIGNATURE-----
(6432173) /@stake advisories <advisories@ATSTAKE.COM>/(Ombruten)