BSCW: Vulnerabilities and Problems

[SQEHXLLBQUJX () spammotel com]

------------------------------------------------------------------------
-=\ BSCW Security Issues - Audit report 02 - 7. Sept. 2001 \=-
------------------------------------------------------------------------

BSCW is a groupware system that runs on a webserver. For more
information about BSCW visit the developer website (http://bscw.gmd.de/
and http://www.orbiteam.de).

While auditing the BSCW system, i discovered two more vulnerabilities.
This document explains the vulnerabilities, how i did notice them and
what you can do to fix them.

-----------------------------------------------------------
-=\ Vulnerability no. 1: insecure default configuration \=-
-----------------------------------------------------------

Type:

  Insecure default configuration.

Effect:

  Gives unwanted people the possibility to
  register as user of the BSCW server.

Software affected:

  All 3.x versions of BSCW, version 4 not tested, but probably as well.

Severity:

  Low risk / Medium risk
  Very high risk, if other security issues exists

Solution:

  Think.


-=\ Description \=-

Normally the BSCW software is configured to allow self registration of
users. This enables the administrator to register himself as the first
user, after setting up the server. Self registration can normally
be done by accessing:

http://your.bscwserver.url/pub/english.cgi?op=rmail

Although allowing self registration of users can be a wanted
configuration, in most cases this isn't the case. Many BSCW servers
have are targeted to a closed user community. In my opinion the BSCW
system should register the server admin in the install procedure and
should not allow self registration out of the box. If the admins have to
enable the self registration of users by changing a configuration file,
they might think twice about it. The major danger of self
registration is not that you give unwanted users access to your system
and allow them to put files there. You give them access to a complex
script running on your webserver and the possibility to exploit security
holes. I checked for BSCW servers with a popular internet search engine
and was able to self register in quite a lot of them, even on those that
seemed to be there for a closed user community.

You should think twice before setting up self registration, the better
choice is to change the configuration, so that only a couple of
trusted users are allowed to register new users.

Example (line of config.py located in your <bscw-dir>/src/):

MAY_REGISTER = ['joedoe','jane']

Allows the users "joedoe" and "jane" to invite new users into the
system. Note that users classified as admins are allowed to invite new
users also.

-------------------
-=\ Fix \=-
-------------------

No fix for this, as it isn't a real bug. Maybe a changed installation
procedure, without the need to enable self registration, would be a
good idea. If you don't need self registration of users, set the
MAY_REGISTER directive in your config.py file.

 --------------------------------------------------------------
-=\ Vulnerability no. 2: shell meta characters not filtered \=-
---------------------------------------------------------------

Type:

  Some shell meta characters are not filtered from user input when
  calling external programs.

Effect:

  Gives malicious a user the possibility to run any shell script he
  wants, under the UID of the BSCW software.

Software affected:

  All 3.x versions of BSCW running under Unix like OS.
  Version 4 not tested (probably vulnerable too. edit: Bug has been fixed in 
  the 21. Dec. Version 4 release).
  Depending on how external programs are called under Windows, a similar
  vunerability may exist in BSCW for Windows.

Severity:

  Ouch. Very high risk.

Solution:

  Change the way external tools are called immediately. If you dont
  need and external conversion tool, diable it. Wait for a patch from
  GMD/Orbiteam.


-=\ Description \=-

The BSCW system gives the users the possibility to convert files into
other formats (e.g. GIF into JPEG). This is done by calling external
tools. The user can enter the filename of the converted file. Since the
user input is handed as parameter to the external programs, which are
called via a shell, shell meta characters should be filtered out of the
user input. Most of them are filtered by BSCW, but there are a few which
aren't:

&;^()[]{}

The dangerous characters are "&",";","^". I'll explain the
vulnerability, using the conversion of a JPEG to a GIF as example:

After you have set your skill level in your userprofile to "Expert", you
have the ability to convert certain file formats into another format.
BSCW achieves this by calling external helper tools.

Lets say we have a file "test.jpg" in a folder we can access. We click on
the "convert" option. In the following dialog we choose our settings for
the conversion, we select "GIF" and "no encoding". We can enter
the name of the outputfile also, the default is the the name of the file
("test.jpg" in our case). We dont change the name. Hitting the convert
button gives you a file named "test.gif".

Now we enter some shell meta characters as file name:

"'`/\|<>*?&;^()[]{}

And get an output similar like this:

Some text that the conversion wasnt successfully.
(
/bin/X11/djpeg -gif -outfile /BSCW/Tmp/@8279_1/&;^()[]{}
/BSCW/Tmp/@8279_1/@8279_2
) 2>&1
.

This is the output of the shell call which the BSCW system did. Looking
at the metachars you can see that "'`\|<>*? are filtered, while &;^()[]{}
are not. The @8279_1 and @8279_2 are internal object reference codes that
BSCW creates. Now we use ;ls; as file name for the conversion (; is the
command separator for shell commands), we get something like:

/bin/X11/djpeg: can't open /BSCW/Tmp/@8558_1/
@8558_2
sh: /BSCW/Tmp/@8558_1/@8558_2: cannot execute
(
/bin/X11/djpeg -gif -outfile /BSCW/Tmp/@8558_1/;ls;
/BSCW/Tmp/@8558_1/@8558_2
) 2>&1
.

We executed the "ls" command (output is "/BSCW/@8558_1/@8558_2"). So
there is one file in this temporary directory, which is in fact our
"test.jpg" file. Then we get the "cannot execute" error, since the shell
tries to execute "/BSCW/Tmp/@8558_1/@8558_2" (we separated it in the
commandline by ";").

Now we create our exploit shell script:

echo code executed on webserver
uname -a

We use "test.jpg" as name for this script and upload it on the BSCW
server, setting the MIME type to "jpeg" manually in the upload dialog.
Since the BSCW creates the temp file for conversion without the exec bit
set, we have to execute by calling the shell with the file as argument.
We do this by giving ";sh" as file name for the converted file:

/bin/X11/djpeg: can't open /BSCW/Tmp/@9586_1/
code executed on bscw server:
SunOS marin 5.8 Generic_111848-01 sun4u sparc SUNW,Ultra-4
(
/bin/X11/djpeg  -gif -outfile /BSCW/Tmp/@9586_1/;
sh /BSCW/Tmp/@9586_1/@9586_2
) 2>&1
.

-------------------
-=\ Fix \=-
-------------------

The configuration for calling external conversion programs are in the
file "config_converters.py", located in the "/src" directory of your BSCW
installation. It contains one entry for each conversion possibility
(gif->jpeg, jpeg->gif, gif->ps ...). Those Entries look like this:

# JPEG -> GIF  (0.8)
 ('image/jpeg', 'image/gif', '0.8',
  '/usr/bin/X11/djpeg  -gif -outfile %(dest)s %(src)s',
  'Colors, if more than 256'),


Change it to:

# JPEG -> GIF  (0.8)
 ('image/jpeg', 'image/gif', '0.8',
  '/usr/bin/X11/djpeg  -gif -outfile "%(dest)s" "%(src)s"',
  'Colors, if more than 256'),

Do this for all the conversion programs. That way parameters are quoted 
and not interpreted.


Thomas Seliger
tom[at]wiretap(dot)de