Tags:
security1Add my vote for this tag create new tag
, view all tags

Security Alert: TWiki INCLUDE function allows arbitrary shell command execution

ALERT! Please join the
twiki-announce list:
To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The TWiki INCLUDE function allows arbitrary shell command execution.

Please see also unrelated security audit on visible lib directories, SecurityAuditOnVisibleLibDir

Vulnerable Software Version

Not affected are:

Attack Vectors

Editing wiki pages and HTTP GET requests towards the Wiki server (typically port 80/TCP). Typically, prior authentication is necessary (including anonymous TWikiGuest accounts).

Impact

An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody.

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-3056 to this vulnerability.

Details

The TWiki INCLUDE function enables a malicious user to compose a command line executed by the Perl backtick (``) operator.

The rev parameter of the INCLUDE variable is not checked properly for shell metacharacters and is thus vulnerable to revision numbers containing pipes and shell commands. The exploit is possible on included topics with two or more revisions.

Example INCLUDE variable exploiting the rev parameter:
%INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }%

The same vulnerability is exposed to all Plugins and add-ons that use TWiki::Func::readTopicText function to read a previous topic revision. This has been tested on TWiki:Plugins.RevCommentPlugin and TWiki:Plugins.CompareRevisionsAddon.

If access to TWiki is not restricted by other means, attackers can use the revision function with or without prior authentication, depending on the configuration.

See Also: IncludePreviousTopicRevision, SecurityAlertExecuteCommandsWithRev, SecurityAlertExecuteCommandsWithSearch, UncoordinatedSecurityAlert23Feb2005

Countermeasures

Authors and Credits

Hotfix

Patch for TWiki Production Release 03-Sep-2004

Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm

See attached patch file TWiki200409-03-04patch.txt

Patch for TWiki Production Release 02-Sep-2004

Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm

See attached patch file TWiki200409-02-04patch.txt

Patch for TWiki Production Release 01-Feb-2003

Note: This assumes that the release is already patched with SecurityAlertExecuteCommandsWithRev fix.

Affected files: twiki/lib/TWiki/Store.pm, twiki/bin/rdiff, twiki/bin/view, twiki/bin/viewfile

See attached patch file TWiki200302-01-04patch.txt

-- PeterThoeny - 27 Sep 2005

Action Plan with Timeline

# Action Date/ Deadline Status Who
1. User discloses issue to TWikiSecurityMailingList 2005-09-14 Done JChristophFuchs
2. Verify issue 2005-09-19 Done PeterThoeny
1. User discloses issue and proposed fix to TWikiSecurityMailingList 2005-09-20 Done JoseLuna
3. Create hotfix for affected TWikiProductionReleases 2005-09-20 Done PeterThoeny, JoseLuna
4. Create patched production TWikiRelease04Sep2004 2005-09-23 Done PeterThoeny
5. Compile e-mail list of administrators of public TWiki sites (based on Google search and TWikiInstallation directory, total 690) 2005-09-25 Done PeterThoeny
6. Initial alert: Alert TWikiDevMailingList members and administrators of public TWiki sites by e-mail 2005-09-25 evening PDT Done PeterThoeny
7. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2005-09-27 evening PDT Done PeterThoeny
8. Publish advisory in Codev web and update all related topics 2005-09-27 evening PDT Done PeterThoeny
9. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2005-09-28 Done PeterThoeny

External Links

-- PeterThoeny - 28 Sep 2005

Discussions

I've just tried to apply patch file TWiki200409-03-04patch.txt (to an installation patched yesterday from 02 using the file attached to SecurityAlertExecuteCommandsWithRev) but I got one failure:

Patching file ./lib/TWiki/Store.pm using Plan A...
Hunk #1 failed at 451.
Hunk #2 succeeded at 470 with fuzz 2.
Hunk #3 succeeded at 578.
1 out of 3 hunks failed--saving rejects to ./lib/TWiki/Store.pm.rej

I'm not sure why it failed, since there doesn't seem to be a mismatch between the patch file and the code to be patched. (I'm running patch version 2.1, in case that's relevant.)

-- JamesAnderson - 28 Sep 2005

Same thing happened to me. This patch seems to be uncompatible with previous ones (03 Sep 2004). I suggest you to download the new TWiki release (04 Sep 2004) and replace the following files in your existing TWiki installation (unless you've manually hacked those files, of course).

  • ./TWikiDocumentation.html
  • ./license.txt
  • ./readme.txt
  • ./lib/TWiki.pm
  • ./lib/TWiki/Store.pm
  • ./lib/TWiki/UI/RDiff.pm
  • ./lib/TWiki/UI/View.pm
  • ./lib/TWiki/UI/Viewfile.pm

-- PabloHoffman - 28 Sep 2005

I got a similar report of patch failure. Possibly a whitespace issue? The standard procedure that should work is to go to the twiki root directory and to run command: patch -p0 < patchfile

-- PeterThoeny - 28 Sep 2005

Grr, 4th patch for Cairo, although Dakar is already ready for take-off. I suggest downloading Dakar directly from SVN for new users.

-- FranzJosefSilli - 28 Sep 2005

No, at this time I do not recommend Dakar for production use. Better to fix Sep 2004 installations with this patch or Florian's UncoordinatedSecurityAlert23Feb2005 patch.

-- PeterThoeny - 28 Sep 2005

Patching did not work for me either. This is the .rej File:

***************
*** 451,457 ****
      my( $theWeb, $theTopic, $theRev ) = @_;
      my $topicHandler = _getTopicHandler( $theWeb, $theTopic );

-     $theRev =~ s/^1\.//o;
      return $topicHandler->getRevision( $theRev );
  }

--- 451,459 ----
      my( $theWeb, $theTopic, $theRev ) = @_;
      my $topicHandler = _getTopicHandler( $theWeb, $theTopic );

+     $theRev =~ s/^r?1\.//o;
+     # Fix for Codev.SecurityAlertExecuteCommandsWithInclude
+     $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
      return $topicHandler->getRevision( $theRev );
  }

-- DanielSchneller - 29 Sep 2005

Before running patch -p0 < patchfile I usually test with a dry run first: patch -p0 --verbose --dry-run < patchfile. This way you see, if the patch runs smoothly.

And TWiki200409-03-04patch.txt doesn't.

Solutions: You can workaround by ignoring whitespace using patch with option -l or correct the failing hunk by editing the patch file TWiki200409-03-04patch.txt: at line 65, add five spaces.

@@ -451,7 +451,9 @@
     my( $theWeb, $theTopic, $theRev ) = @_;
     my $topicHandler = _getTopicHandler( $theWeb, $theTopic );
                                                                    <---- add five spaces here!
-    $theRev =~ s/^1\.//o;
Now patching succeeds with a maximum fuzz of 2. Still not optimal, but it works.

-- DanielKabs - 30 Sep 2005

Topic attachments
I Attachment History Action Size Date Who Comment
Texttxt TWiki200302-01-04patch.txt r1 manage 3.2 K 2005-09-21 - 01:07 UnknownUser Patch from 20030201 to 20040904 version
Texttxt TWiki200409-02-04patch.txt r1 manage 5.2 K 2005-09-21 - 00:46 UnknownUser Patch from 20040902 to 20040904 version
Texttxt TWiki200409-03-04patch.txt r1 manage 5.3 K 2005-09-21 - 00:46 UnknownUser Patch from 20040903 to 20040904 version
Edit | Attach | Watch | Print version | History: r14 < r13 < r12 < r11 < r10 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r14 - 2005-09-30 - DanielKabs
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.