Tags:
create new tag
, view all tags
What is TWiki?
A leading open source enterprise wiki and web application platform used by 50,000 small businesses, many Fortune 500 companies, and millions of people.
MOVED TO... Learn more.

Security Alert CVE-2012-6329: TWiki MAKETEXT Variable Allows Arbitrary Shell Command Execution

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The %MAKETEXT{}% TWiki variable allows arbitrary shell command execution. The problem is caused by an underlying security issue in the Locale::Maketext CPAN module.

Vulnerable Software Version

Attack Vectors

Editing wiki pages and HTTP POST requests towards a TWiki server with enabled localization (typically port 80/TCP). Typically, prior authentication is necessary.

Impact

An unauthenticated remote attacker can execute arbitrary shell commands as the webserver user, such as user nobody.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2012-6329 to this vulnerability.

Details

1. Shell Command execution: The %MAKETEXT{}% TWiki variable is used to localize user interface content to a language of choice. Using a specially crafted MAKETEXT, a malicious user can execute shell commands by Perl backtick (``) operators. User input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. This works only in TWiki sites that have user interface localization enabled.

In addition, there are two less severe issues with MAKETEXT:

2. Excessive memory allocation: %MAKETEXT{"This is [_9999999999999999] Evil"}% will consume all memory and swap space attempting to initialize all missing entries in the parameters array. (CVE-2012-6330)

3. Crash: %MAKETEXT{"This is [_0] problematic"}% can cause a crash under some circumstances.

Countermeasures

  • One of:
    • Disable localization by setting configure flag {UserInterfaceInternationalisation} to 0.
    • Apply hotfix (see patch below).
    • Upgrade to the latest patched production release TWiki-5.1.3 (TWikiRelease05x01x03) when available.

  • In addition:
    • Install CPAN:Locale::Maketext version 1.23 or newer.
    • Use the {SafeEnvPath} configure setting to restrict the possible directories that are searched for executables. By default, this is the PATH used by the webserver user. Set {SafeEnvPath} to a list of non-writable directories, such as "/bin:/usr/bin".

Hotfix for TWiki Production Release 5.1.x

Affected file: twiki/lib/TWiki.pm

Patch to sanitize MAKETEXT parameters:

--- TWiki.pm   (revision 24029)
+++ TWiki.pm   (working copy)
@@ -4329,8 +4329,23 @@
 
     # unescape parameters and calculate highest parameter number:
     my $max = 0;
-    $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
-    $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+    my $min = 1;
+    $str =~ s/~\[(\_(\d+))~\]/
+              $max = $2 if ($2 > $max);
+              $min = $2 if ($2 < $min);
+              "[$1]"/ge;
+    $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/
+              $max = $2 if ($2 > $max);
+              $min = $2 if ($2 < $min);
+              "[$1]"/ge;
+
+    # Item7080: Sanitize MAKETEXT variable:
+    return "MAKETEXT error: No more than 32 parameters are allowed" if( $max > 32 );
+    return "MAKETEXT error: Parameter 0 is not allowed" if( $min < 1 );
+    if( $TWiki::cfg{UserInterfaceInternationalisation} ) {
+        eval { require Locale::Maketext; };
+        $str =~ s#\\#\\\\#g if( $@ || !$@ && $Locale::Maketext::VERSION < 1.23 );
+    }
 
     # get the args to be interpolated.
     my $argsStr = $params->{args} || "";

On a properly patched system, %MAKETEXT{" [_99] "}% should return this error: =MAKETEXT error: No more than 32 parameters are allowed.

This patch is handled at TWikibug:Item7080.

Hotfix for older affected TWiki Releases

Apply above patch (line numbers may vary).

Authors and Credits

Action Plan with Timeline

Date Action Status Who
2012-12-10 User discloses issue to TWikiSecurityMailingList Done GeorgeClark
2012-12-10 Developer verifies issue Done PeterThoeny
2012-12-10 Developer fixes code Done PeterThoeny
2012-12-10 Security team creates advisory with hotfix Done PeterThoeny
2012-12-11 Developer verifies patch Done HideyoImazu
2012-12-12 Send alert to TWikiAnnounceMailingList and TWikiDevMailingList Done PeterThoeny
2012-12-14 Publish advisory in Codev web and update all related topics Done PeterThoeny
2012-12-14 Issue a public security advisory to full-disclosure[at]lists.grok.org.uk, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org Done PeterThoeny
2012-12-16 Developer creates new TWiki-5.1.3 patch release with fix Done PeterThoeny

External Links

-- PeterThoeny - 2012-12-10

Discussions

Edit | Attach | Watch | Print version | History: r17 < r16 < r15 < r14 < r13 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r17 - 2012-12-19 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.