Bugzilla 0-day can reveal 0-day bugs in OSS giants like Mozilla, Red Hat
Security firm Check Point Software Technologies used a flaw it discovered in the Perl programming language to hack into the popular Bugzilla bug-tracking system and add four users to the administrator group, giving them power to see the details of undisclosed vulnerabilities.
The bold demonstration, detailed in a private bug report made public on Monday, took advantage of a new class of flaws discovered by Check Point in the Perl programming language, allowing the organization to craft specific strings of text that essentially fooled Bugzilla’s user database. Check Point created administrator accounts for mozilla.com, mozilla.org, bugzilla.org, and bugzilla.bugs in the system.
“This is not an SQL injection attack, this is something rather new,” Shahar Tal, security research team leader at Check Point, told Ars. “This is part of research that we have been working on for a couple of months on a specific Perl issue. Bugzilla is a good example and sample, but it is not the only project that we were able to find vulnerabilities in.”
On Monday, Bugzilla released a patch for the problem to the public, but it notified the largest projects of the issue last week after hearing from Check Point. Nearly 150 large software developers and open-source projects—from Mozilla and OpenOffice to Red Hat and the Linux kernel—use the software to track the vulnerabilities in their products.
While the seemingly new class of issues in the Perl language is interesting, the hack required another feature of how Bugzilla, and many software companies and open-source projects that use its software, configure their systems. To ease administration, Mozilla added e-mail addresses matching a specific string, ending in “bugzilla.org” for example, to the system’s group of administrators. Matching such strings, known in programming parlance as ‘regular expressions’ or regex, is a common way to automate systems.
“The successful exploitation of the vulnerability allows the manipulation of any (database) field at the user creation procedure, including the ‘login_name’ field,” Netanel Rubin, a researcher with Check Point, wrote in the initial report to Bugzilla. “This breaks the e-mail validation process and allows an attacker to create accounts which match the group’s regex policies, effectively becoming a privileged user.”
The coding pattern that produced the security issue appeared 15 times in the code, four of which could have been exploited by attackers, according to an analysis by Gervase Markham, a Mozilla programmer that works on the Bugzilla project.
“If you maintain a Perl Web application, you may want to audit it for this pattern,” he said.
While the issue could allow cybercriminals to hack into software firms’ bug tracking systems, most major developers have patched their systems. Smaller open-source projects and software companies with publicly accessible Bugzilla systems will be vulnerable until they update, Check Point’s Tal said.
“The really big companies have already patched,” he said. “Whoever is really alert and tight on security, they will see the patch and patch today or tomorrow, which leaves a very, very small window of exposure for attackers.”
Check Point plans to release more information on the research at the Chaos Communications Congress in Germany later this year. The Mozilla Foundation did not comment on the bug report by publication time.