COMMAND

    BSCW

SYSTEMS AFFECTED

    BSCW 3.x

PROBLEM

    'neovatar' found following.   Malicious user can  read every  file
    on system  that BSCW  UID can  read.   BSCW is  a groupware system
    that runs on a webserver.

    While playing around with symlinks and how the BSCW system handles
    them, he noticed that it follows symlinks.  Since it offers  users
    the ability to extract  .tar files into their  "data-bag" (private
    space), symlink following  can be exploited  by a malicious  user.
    To to  this he/she  needs to  create a  .tar file  that contains a
    symlink, pointing to a file he/she wants to read. After this  .tar
    file  has  been  uploaded  to  the  BSCW  server  and extracted by
    clicking on the "extract" menu option, the "data-bag" of the  user
    contains the symlink  as a BSCW  data object. Clicking  on it will
    make the BSCW  system follow the  symlink and retrieve  the target
    file, so the user is able to download/view it.  Example:

        my_host:/tmp/>ln -s /etc/passwd testlink
        my_host:/tmp/>tar cvf testlink.tar testlink

    After uploading it to the  BSCW server and extracting it,  you can
    click on the "testlink" item  in your "data-bag" and retrieve  the
    /etc/passwd file of the server.

    Basically the attacker can view any  file on a system, as long  as
    the UID, under which the BSCW system is running, could access  it.
    In most  cases this  will be  the same  UID as  the webserver  UID
    (nobody, wwwrun).  This can give the malicious user access to BSCW
    data items, he could normally not read, or worse, it could be used
    to  retrieve  the  BSCW  password  file  for  cracking  other user
    passwords or information gathering for further system penetration.
    The  early  "op_extract"  fixes  that  but  leaves  a  few   other
    exploitable issues.

    Another vulnerability consists in the standard installation  which
    includes a call of "zip"  tool when converting .tar files  to .zip
    files.   After the  "op_extract" patch  you could  not access  the
    symlink, since the new extract function checks for symlinks  after
    tar is called.   By converting the attackers  .tar file to a  .zip
    file, zip  will follow  the symlink  and pack  the file, which was
    targeted by the  link.  If  you have customized  calls to external
    programs (e.g.  packer  conversion utilities) in your  BSCW system
    configuration,  you  should  check  if  symlink  following  can be
    exploited).

SOLUTION

    The latest patch "untar.py" introduces a wrapper, which looks  for
    symlinks and  seem to  fix all  symlink vulnerabilities.   You can
    download the patches and view the installation instructions at

        http://bscw.gmd.de/pycXX

    where XX  is the  version of  your installed  python package (e.g.
    http://bscw.gmd.de/pyc20 for python 2.0).