@stake Security Advisory: Remote Vulnerabilities in Bugzilla (A043001-1)

From:	 "@stake advisories" <advisories@ATSTAKE.COM>
To:	 BUGTRAQ@SECURITYFOCUS.COM
Subject: @stake Security Advisory: Remote Vulnerabilities in Bugzilla
	 (A043001-1)
Date:	 Mon, 30 Apr 2001 16:07:31 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                               @stake, Inc.
                             www.atstake.com

                            Security Advisory

	
Advisory Name: Remote Vulnerabilities in Bugzilla
  Release Date: 04/30/2001
   Application: Bugzilla (2.10)
      Platform: Unix or any other platform supporting perl CGI scripts and
                MySQL (most often Unix+Apache)
      Severity: Remote users could execute arbitrary commands as the web
                server user, view unauthorized information.
       Authors: Dave Aitel [daitel@atstake.com],
                Andrew Danforth [acd@atstake.com]
Vendor Status: Vendor has fixed version
CVE Candidate: CAN-2001-0329, CAN-2001-0330
     Reference: www.atstake.com/research/advisories/2001/a043001-1.txt


Executive Summary:

Bugzilla is a web-based bug (and enhancement) tracking engine built over
MySQL. It's often used for distributed OpenSource development, but is used
by corporations (both internally and externally) as well. A bug in
Bugzilla allows remote users who have registered with shell characters in
their email addresses to execute commands on the web server as an
unprivileged user.


Overview:

The attack is to register as a user named "|somecommand;@yourdomain.com"
(root access at yourdomain.com _may_ be required.) Then submit a bug.

It is prudent to segment Bugzilla (or otherwise interactive
web sites) from code repository and download sites. This would prevent
this, or future bugs from compromising the source tree or distribution
binaries of an OpenSource or collaborative project.


Detailed Description:

Perl's system call acts differently based on the type of argument given;
if it's a list, it takes the first element as the program and the rest as
the arguments.  If the argument is a scalar, it feeds it thru sh for
parsing.  The Bugzilla guys got it right for one of the system() calls
(see below), but the rest are broken.


- - --- output from some grepping (greppage, greps?) ---
Broken (scalars):
   post_bug.cgi:system("./processmail $id $::COOKIE{'Bugzilla_login'}");
   process_bug.cgi:        system("./processmail $num $::FORM{'who'}");
   process_bug.cgi:        system("./processmail $k $::FORM{'who'}");
Not Broken (list):
   process_bug.cgi:    system("./processmail", "-forcecc", $origCcString,
$id, $::FORM{'who'});

A similar vulnerability is described at
http://packetstorm.securify.com/0005-exploits/bugzilla.txt

Additionally, it is possible to obtain the Bugzilla global configuration
code by pointing a web browser at http://bug.zilla.site/globals.pl.  The
conf file contains some site-specific configuration directives such as
paths and global variables, the juiciest of which are the database
username and password.

This brings up an typical problem with perly web apps.  Programmers often
define globals and configuration info in modules or files containing bits
of perl code, and 'use' or 'require' them in their cgi.  Typically, the
perl scripts are named foo.cgi so the web server configuration doesn't
need to be modified (ala AddHandler cgi-script .pl).  The modules and such
retain .pl or .pm extensions, so the web server feeds them to a requestor
as plain text.


Solutions:

If you can you should upgrade to the latest version of Bugzilla 2.12 which
fixes these problems.

As a temporary solution, all Bugzilla system() calls should be modified to
pass arguments as an array rather than a scalar.

Also, on line 469 of defparams.pl, replace the regular expression
definition
    q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:
with
    q:^[\w-\./]+@[A-Za-z\d-\.]+$:

Please note that the new regular expression will not match all valid RFC
822 email addresses.  A perl regex that does just that can be found at
<http://www.perl.com/CPAN/authors/Tom_Christiansen/scripts/ckaddr.gz>, but
Integrating it with Bugzilla is beyond the scope of this advisory.

Scripts:

This is a script that should fix the system call bugs - run it in the
bugzilla directory:

<cut here>
#!/usr/bin/perl
#
# bugzilla system() fixer -- run in bugzilla CGI directory
#
# Andrew Danforth <acd@atstake.com>, 2001
# note, grep and ed must be in path. Tested on Debian Linux.

foreach(`grep -n system\\( *.cgi`) {
    my ($file, $line, $code) = split(/:/, $_, 3);
    next if ($code =~ /,/);
    if ($code !~ /system\(("[^"]+")\)/) {
       print "couldn't find arguments to system for $file:$line\n";
       next;
    }
    print "changing line $line for $file\n";
    open ED, "|ed -s $file";
    print ED $line, "c\n", $`, "system(", join('","', split(' ', $1)), ")",
$', ".\nw\nq\n";
    close ED;
}
<end cut>


Vendor Response:

Vendor has released a new release, Bugzilla 2.12, that addresses these
problems:

http://ftp.mozilla.org/pub/webtools/bugzilla-2.12.tar.gz


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

       CAN-2001-0329 - shell metacharacters in email addresses
       CAN-2001-0330 - sensitive information from globals.pl

|-----------------------------------------------------------------------

@stake Advisory Announcement mailing list:

If you wish to receive announcement messages when new @stake advisories
are released you can subscribe to our advisory-announce mailing
list. To subscribe to advisory-announce@lists.atstake.com, send an
(empty) message to:

             advisory-announce-subscribe@lists.atstake.com.


Last 5 @stake Advisories

04.16.01
iPlanet Web Server Enterprise Edition 4.0, 4.1 Response Header Overflow
http://www.atstake.com/research/advisories/2001/a041601-1.txt

04.13.01
Netscape SmartDownload Overflow
http://www.atstake.com/research/advisories/2001/a041301-1.txt

04.09.01
Windows PGP (Pretty Good Privacy) ASCII Armor Parser Vulnerability
http://www.atstake.com/research/advisories/2001/a040901-1.txt

04.03.01
Multiple Information Disclosure Issues with G6 FTP Server
http://www.atstake.com/research/advisories/2001/a040301-1.txt

03.07.01
Netscape Directory Server Buffer Overflow
http://www.atstake.com/research/advisories/2001/a030701-1.txt


Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2001 @stake, Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOu2/GVESXwDtLdMhEQLx6QCglPSOXY+xJ0gFx7ijs/FbDBHDS18AoLuP
ElUuwZrUdtHRFj6alnuh6Htg
=QaAZ
-----END PGP SIGNATURE-----