A command execution vulnerability exists in the redmine_git_hosting plugin, which integrates git server functionality into redmine. No authentication is required for exploitation via public projects, where clone (i.e. read-only) access to git repositories is permitted; otherwise a valid account with such access is required.
The vulnerability lies in the HTTP git transport handler provided by the plugin, which fails to sanitise input from which the backend git commands are constructed.
The vulnerable URI is that used in the git clone command, which can usually be found on a particular project’s page, or fabricated if the name of a project is known, for example: https://redmine.somewhere.com/someproject.git
There are several possible requests to trigger the same vulnerable code, though the following delay injection proof-of-concept request was found to work on all variant forks of the redmine plugin:
curl -k “https://redmine.demo.com/someproject.git/info/refs?service=git-%60sleep%2010%60″
There are several instances within the code of the HTTP git transport controller (git_http_controller.rb) of the redmine_git_hosting plugin where backend git commands are constructed with unsanitised user input, for example:
Since there is no official owner of this plugin, on 4th July 2013 several of the prominent fork developers were contacted, including the redmine team for their information, and of the two that replied one has responded with a patch for the plugin (see http://www.redmine.org/plugins/redmine-gitolite).
An offer was made to test any patched instances of the plugin, though as yet no developers have responded to have their patches confirmed with an instance running their forked code.
Ideally, the plugin should be re-written to use parametrised task execution of the git command, or at the very least the input should be whitelisted on a word or character level. If unsure, it is recommended that HTTP transport functionality be disabled on the redmine_git_hosting plugin until a fix has been confirmed.
Copyright 2013 Sec-1 LTD. All rights reserved.
- Redmine Git Hosting Plugin: Remote Command Execution
- Moveable Type 4.x Unauthenticated Remote Command Execution
- Advisory: Multiple WatchGuard Log and Report Manager Vulnerabilities
- Advisory: Multiple Splunk Vulnerabilities
- Advisory: WebTitan Multiple Vulnerabilities
- Time For Better Web App Security As SQL & XSS Threats Surge
- PCI DSS 3.0, Requirement 11.3: The Segmentation Issue
- Booking Now Open for Free Seminars
- Sec-1 Supports 2013 Cyber Security Challenge
- Milestone Office Move For Sec-1
- Remote Command Execution via CouchDB Admin Interfaces
- Tool: Blind SQL Injection exploit tool
- Tool: Identify vulnerable share permissions to prevent data leakage