COMMAND

	BitKeeper remote shell command execution/local vulnerability

SYSTEMS AFFECTED

	BitKeeper 3.0.x

PROBLEM

	In Maurycy Prodeus of iSEC Security Research [http://isec.pl/]  advisory
	:
	
	BitKeeper is a source management software. It contains a shell  argument
	parsing vulnerability that leads remote attacker to run arbitrary  shell
	commands on system where BitKeeper listens to HTTP requests.
	
	
	 Details:
	 - --------
	
	1. Remote command execution
	
	BitKeeper may be executed in daemon mode then it opens port and  listens
	to incoming requests. BitKeeper provides remote  users  with  access  to
	project resources through web interface. It calls external  diff  binary
	as a parameter  to  shell  -c  option  which  is  susceptible  to  shell
	metacharacter injection.
	
	2. Locally exploitable race condition
	
	Second vulnerability is in temporary file handling also  during  calling
	external programs.
	
	Piece of strace output:
	
	20495 getpid()                          = 20495
	20495 lstat("/tmp/foo.c-1.1-20495", 0xbfffae9c) = -1 ENOENT (No such file or directory)
	20495 lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=16384, ...}) = 0
	20495 open("/tmp/foo.c-1.1-20495", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8
	
	There is race condition vulnerability after  BitKeeper  stats  the  file
	and before the file is opened. Additionally it is created with  insecure
	priviledges.
	
	 Impact:
	 - -------
	
	If  BitKeeper  is  running  in  daemon  mode  and  listens  to  incoming
	requests, remote attacker can execute arbitrary commands on system  with
	its priviledges. Local attacker can additionaly get access to  temporary
	files which may cause taken over control of the program.
	
	 Exploit:
	 - --------
	
	If BitKeeper is run as stand-alone daemon, link:
	
	http://somehost.com:port/diffs/foo.c@%27;echo%20%3Eiwashere%27?nav=index.html|src/|hist/foo.c
	
	should create file named "iwashere" in project root directory.

SOLUTION

	None yet