Tags:
create new tag
, view all tags

Security Alert: Configure script allows arbitrary shell command execution (CVE-2006-3819)

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: Unauthorized user may execute arbitrary commands in case the TWiki configure script is not access restricted.

Vulnerable Software Version

Attack Vectors

Supply a specially crafted HTTP POST request on the TWiki configure script.

Impact

An intruder is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. Properly configured TWiki sites with authenticated configure script are not affected.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2006-3819 to this vulnerability.

Details

All TWiki 4.0.x releases have an unsafe eval in twiki/bin/configure which can be exploited to evaluate arbitrary Perl code and run arbitrary commands as the httpd user.

The exploit requires creating a special form to submits a crafted TYPEOF parameter to the configure script. Example:

  <form method="post" action="/twiki/bin/configure" />
    <input type="hidden" name="action" value="update" />
    <input type="text" 
           name="TYPEOF:);system('/bin/touch /tmp/whoops');my @a=(" 
           value="anything" />
    <input type="submit" name="submit" value="Submit" />
  </form>

This results in the following code being evaluated:

$def = defined( $TWiki::cfg);system('/usr/bin/touch /tmp/whoops');my @a=( );

As expected, the file /tmp/whoops appears on the server. The last bit simply avoids a syntax error.

Countermeasures

  • Restrict access to the TWiki configure script.
  • Apply the hotfix indicated below.
    • NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix

Hotfixes

This section describes how to protect a TWiki installation on two levels.

  • Level 1: Restrict access to the configure script
  • Level 2: Hotfix download for TWiki 4.0.4

Level 1: Restrict access to the configure script

The configure script should be protected from general access. It is a tool designed for administrators only and should be restricted to invocation by them only. This is typically done by using the basic Apache authentication. The configure script cannot save any settings once the password has been saved for the first time, but the script could still be vulnerable to specially crafted field values. In addition, the script reveals many details about the webserver that should not be made public.

In order to protect TWiki's configure script you can choose between two methods:

  • Limit access to specific local IP addresses.
  • Limit access to a few administrator users.

The access restriction can be done using Apache http.conf files or .htaccess files.

Protection of configure using Apache config files

The example below shows the part of an example Apache config file that configures the TWiki bin directory.

<Directory "/home/httpd/twiki/bin">
  AllowOverride None
  Order Allow,Deny
  Allow from all
  Deny from env=anonymous_spider

  Options ExecCGI FollowSymLinks
  SetHandler cgi-script

  # Password file for TWiki users
  AuthUserFile /var/www/twiki/data/.htpasswd
  AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith).'
  AuthType Basic

  # File to return on access control error (e.g. wrong password)
  # By convention this is the TWikiRegistration page, that allows users
  # to register with the TWiki. Apache requires this to be a *local* path.
  ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

  # Limit access to configure to specific IP addresses and or users.
  # Make sure configure is not open to the general public.
  # The configure script is designed for administrators only.
  # The script itself and the information it reveals can be abused by
  # attackers if not properly protected against public access.
  # Replace JohnDoe with the login name of the administrator
  <FilesMatch "^configure.*">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1, 192.168.1.10
    Require user JohnDoe
    Satisfy Any
  </FilesMatch>

  # When using Apache type login the following defines the TWiki scripts
  # that makes Apache ask the browser to authenticate. It is correct that
  # scripts such as view are not authenticated. (un-comment to activate)
  #<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
  #   require valid-user
  #</FilesMatch>

</Directory>

The parts that protect the configure script are:

  • The AuthUserFile, AuthName and AuthType defined the type of authentication and the password file location. This is required to limit the access to specific users.
  • In the FilesMatch section the Require user JohnDoe defined who has access to the configure script.
  • In the FilesMatch section the Allow from 127.0.0.1, 192.168.1.10 limits access to these two IP addresses. Note that the first is localhost.
  • In the FilesMatch section the Satisfy Any means that either the login name or the IP address must be valid. If you only setup one of the protections you can remove this. If you want IP address match and login to be required change this to Satisfy All

Above Apache config example is taken from file twiki_httpd_conf.txt, located in the root of your TWiki installation after upgrading it to TWiki-4.0.4 Hotfix 2. The accumulated Hotfix 2 for TWiki-4.0.4 can be downloaded from TWiki:Codev.HotFix04x00x04x02

If you configure Apache via .htaccess files

If you configure your Apache via .htaccess files the protection method is identical to the method with config files, with these exceptions:

  • A .htaccess file is put in the bin directory
  • The same <FilesMatch "^configure.*"> section is placed in the .htaccess file
  • The <Directory> </Directory> section is not needed.

An example .htaccess.txt file is located in the bin of your TWiki installation after upgrading it to TWiki-4.0.4 Hotfix 2. The accumulated Hotfix 2 for TWiki-4.0.4 can be downloaded from TWiki:Codev.HotFix04x00x04x02

Apache Config Generator

You can quickly create a complete Apache config file, tailored to your installation, at TWiki:TWiki.ApacheConfigGenerator. It protects also the configure script, based on your preference.

Level 2: Hotfix download for TWiki 4.0.4

An accumulated Hotfix 2 for TWiki-4.0.4 is available for download. It contains an improved version of the configure script, fixing the known vulnerability. It is available at TWiki:Codev.HotFix04x00x04x02.

Authors and Credits

Action Plan with Timeline

# Action Date Status Who
1. User discloses vulnerability to twiki-security 2006-07-21 Done TWiki:Main.BenWheeler
2. Developer verifies issue 2006-07-22 Done KennethLavrsen
3. Developer creates fix 2006-07-23 Done CrawfordCurrie, KennethLavrsen
4. Developer creates HotFix04x00x04x02 for TWiki 4.0.4 2006-07-25 Done KennethLavrsen
5. Security team creates advisory 2006-07-25 Done PeterThoeny, KennethLavrsen
6. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2006-07-26 Done PeterThoeny
7. Publish advisory in Codev web and update all related topics 2006-07-26 Done PeterThoeny
8. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2006-07-27 Done PeterThoeny

External Links

-- Contributors: KennethLavrsen, CrawfordCurrie, PeterThoeny - 26 Jul 2006

Discussions

Secunia picked the advisory already up from TWiki.org, one day before the planned public advisory. I therefore sent the advisory (no point in waiting any longer.)

-- PeterThoeny - 28 Jul 2006

There is an exploit in the wild! An automated script has used this vulnerability to compromise my website. This particular exploit installed an FTP server and performed a DOS attack using telnet. Be aware!

-- KevinTam - 03 Aug 2006

Thanks Kevin for the reprot. An unfortunate reality that crackers are monitoring the security advisories looking for new ways to do their dirty work. It shows how important it is to be on the TWikiAnnounceMailingList and to fix vulnerabilities quickly. (And for the TWiki dev team to produce code without security flaws.)

-- PeterThoeny - 04 Aug 2006

Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r12 - 2006-08-04 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.