Redmine Git Hosting Plugin: Remote Command Execution

Sec-1 Security Advisory
Advisory Name : Redmine Git Hosting Plugin: Remote Command Execution
Discovery Date : 3/7/2013
Release Date : 16/8/2013
Application : Redmine Git Hosting Plugin
Platform : Any
Severity : HIGH. Remote Command Execution
CVE : CVE-2013-4663
Discovered by : Nick Blundell
Vendor Status : Some have patched the plugin
Website : https://www.sec-1.com/blog

Vulnerability Summary

A command execution vulnerability exists in the redmine_git_hosting plugin, which integrates git server functionality into redmine. No authentication is required for exploitation via public projects, where clone (i.e. read-only) access to git repositories is permitted; otherwise a valid account with such access is required.

The vulnerability lies in the HTTP git transport handler provided by the plugin, which fails to sanitise input from which the backend git commands are constructed.

The vulnerable URI is that used in the git clone command, which can usually be found on a particular project’s page, or fabricated if the name of a project is known, for example: https://redmine.somewhere.com/someproject.git

Exploit Example

There are several possible requests to trigger the same vulnerable code, though the following delay injection proof-of-concept request was found to work on all variant forks of the redmine plugin:

curl -k “https://redmine.demo.com/someproject.git/info/refs?service=git-%60sleep%2010%60”

Vulnerable Code

There are several instances within the code of the HTTP git transport controller (git_http_controller.rb) of the redmine_git_hosting plugin where backend git commands are constructed with unsanitised user input, for example:


# Note: here service name may be controlled by the user

def get_info_refs
  service_name = get_service_type
  if service_name
    command = git_command(“#{service_name} –stateless-rpc –advertise-refs .”)
    refs = %x[#{command}]
    content_type = “application/x-git-#{service_name}-advertisement”
    …


# Note: Here reqfile may be controlled by the user

def file_exists(reqfile)
  cmd=”#{run_git_prefix()} if [ -e \”#{reqfile}\” ] ; then echo found ; else echo bad ; fi ‘ “
  is_found=%x[#{cmd}]
  is_found.chomp!
  return is_found == “found”
end

Exploit Code

Vendor Response

Since there is no official owner of this plugin, on 4th July 2013 several of the prominent fork developers were contacted, including the redmine team for their information, and of the two that replied one has responded with a patch for the plugin (see http://www.redmine.org/plugins/redmine-gitolite).

An offer was made to test any patched instances of the plugin, though as yet no developers have responded to have their patches confirmed with an instance running their forked code.

Recommendation

Ideally, the plugin should be re-written to use parametrised task execution of the git command, or at the very least the input should be whitelisted on a word or character level. If unsure, it is recommended that HTTP transport functionality be disabled on the redmine_git_hosting plugin until a fix has been confirmed.

Copyright 2013 Sec-1 LTD. All rights reserved.

This entry was posted in Advisories. Bookmark the permalink.

Comments are closed.