fusionforge multiple privilege escalations

2013.02.25
Credit: Helmut
Risk: High
Local: No
Remote: Yes
CWE: CWE-59


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

I am publicly disclosing fusionforge CVE-2013-1423 today. On the 25th of January I reported one of these issues to the Debian security team and the fusionforge maintainers. In the process of fixing the issue a number of further issues surfaced. All of these issues currently covered by the single CVE-2013-1423 have in common that they related to privileged operations not properly checking their environment and thus leading to privilege escalation. Let me give an easy to exploit example. Quoting deb-specific/user_dump_update.pl (fusionforge 5.2-1): | $home_dir = $homedir_prefix.'/'.$username; | unless (-d $home_dir.'/incoming') { | mkdir $home_dir.'/incoming', 0755; | } | | my $realuid=get_file_owner_uid($home_dir); | if ($uid eq $realuid){ | system("chown $uid $home_dir/incoming"); | system("chmod 0755 $home_dir/incoming"); This code is executed as root in a cron job. By replacing ~/incoming with a hard link to some other file (.e.g. an .ssh/authorized_keys file from a different user) an attacker can gain ownership of files. The initial report related to plugins/scmcvs/cronjobs/ssh_create.php which contained a chown to ~user/.ssh which is user controlled. Most of the issues relate to usage of chown or chmod on objects controlled by a user. These issues have been avoided carrying out operations on user controlled files with the effective permission of the user (seteuid). Another source was TOCTOU race conditions which have been avoided by using O_EXCL which is file mode "x" in php. Also some file permission were only fixed after closing the file (information disclosure) which is now done at open time by using umask. Roland Mas iteratively updated the sources with me giving feedback on issues. The resulting patches have been commited to the respective git branches. Please have a look at those patches for further details. 5.0: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=0cc51b3aca51fa915a35195fdf729bcdb903f2af 5.1: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=9937b9d94ab60ff67fe249c1b9a6c8e3fc1778ba 5.2: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=1fc730b97c797e03b89cd37823ab345d35286cf4 Here is a list of files affected: contrib/gforge-3.0-cronjobs.patch (removed) cronjobs/homedirs.php deb-specific/fileforge.pl (removed) deb-specific/group_dump_update.pl deb-specific/ssh_dump_update.pl deb-specific/user_dump_update.pl plugins/scmbzr/common/BzrPlugin.class.php plugins/scmcvs/common/CVSPlugin.class.php plugins/scmcvs/cronjobs/cvs.php plugins/scmcvs/cronjobs/ssh_create.php plugins/scmgit/common/GitPlugin.class.php plugins/scmsvn/common/SVNPlugin.class.php plugins/wiki/cronjobs/create_groups.php utils/cvs1/cvscreate.sh (removed) utils/include.pl Finally I would like to thank Roland Mas for his thorough work on these issues, his quick reaction and the nice interaction. Helmut

References:

https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=1fc730b97c797e03b89cd37823ab345d35286cf4
https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=9937b9d94ab60ff67fe249c1b9a6c8e3fc1778ba
https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=0cc51b3aca51fa915a35195fdf729bcdb903f2af


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top