Security Alert: TWiki INCLUDE function allows arbitrary shell command execution

Please join the twiki-announce list:	To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList

This advisory alerts you of a potential security issue with your TWiki installation: The TWiki INCLUDE function allows arbitrary shell command execution.

Please see also unrelated security audit on visible lib directories, SecurityAuditOnVisibleLibDir

Vulnerable Software Version

• TWikiRelease03Sep2004 -- TWiki20040903.zip
• TWikiRelease02Sep2004 -- TWiki20040902.zip
• TWikiRelease01Sep2004 -- TWiki20040901.zip
• TWikiRelease01Feb2003 -- TWiki20030201.zip

Not affected are:

• Recent DakarReleases (upcoming production release, soon)
• TWikiRelease01Sep2004 patched with Florian Weimer's UncoordinatedSecurityAlert23Feb2005

Attack Vectors

Editing wiki pages and HTTP GET requests towards the Wiki server (typically port 80/TCP). Typically, prior authentication is necessary (including anonymous TWikiGuest accounts).

Impact

An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody.

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-3056 to this vulnerability.

Details

The TWiki INCLUDE function enables a malicious user to compose a command line executed by the Perl backtick (``) operator.

The rev parameter of the INCLUDE variable is not checked properly for shell metacharacters and is thus vulnerable to revision numbers containing pipes and shell commands. The exploit is possible on included topics with two or more revisions.

Example INCLUDE variable exploiting the rev parameter:
%INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }%

The same vulnerability is exposed to all Plugins and add-ons that use TWiki::Func::readTopicText function to read a previous topic revision. This has been tested on TWiki:Plugins.RevCommentPlugin and TWiki:Plugins.CompareRevisionsAddon.

If access to TWiki is not restricted by other means, attackers can use the revision function with or without prior authentication, depending on the configuration.

See Also: IncludePreviousTopicRevision, SecurityAlertExecuteCommandsWithRev, SecurityAlertExecuteCommandsWithSearch, UncoordinatedSecurityAlert23Feb2005

Countermeasures

• Apply hotfix (see patches below)
  • NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix
• Upgrade to the latest patched production TWikiRelease04Sep2004
  • NOTE: If you are running an unmodified TWikiRelease01Sep2004, TWikiRelease02Sep2004 or TWikiRelease03Sep2004, simply copy the following patched files from TWikiRelease04Sep2004 to your installation: lib/TWiki.pm, lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm
• Apply patch of UncoordinatedSecurityAlert23Feb2005 (but see known issues of that patch)
• Filter access to the web server
• Use the web server software to restrict access to the web pages served by TWiki

Authors and Credits

• Credit to TWiki:Main.JChristophFuchs (jcf@ippPLEASENOSPAM.mpg.de) and TWiki:Main.JoseLuna (luna@aditelPLEASENOSPAM.org) for disclosing the issue to the twiki-security@listsPLEASENOSPAM.sourceforge.net mailing list
• TWiki:Main.JoseLuna for contributing a more robust patch to recent SecurityAlertExecuteCommandsWithRev issue (included in this patch)
• TWiki:Main.PeterThoeny, TWiki:Main.JoseLuna, TWiki:Main.CrawfordCurrie for contributing to the advisory and the patch

Hotfix

Patch for TWiki Production Release 03-Sep-2004

Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm

See attached patch file TWiki200409-03-04patch.txt

Patch for TWiki Production Release 02-Sep-2004

Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm

See attached patch file TWiki200409-02-04patch.txt

Patch for TWiki Production Release 01-Feb-2003

Note: This assumes that the release is already patched with SecurityAlertExecuteCommandsWithRev fix.

Affected files: twiki/lib/TWiki/Store.pm, twiki/bin/rdiff, twiki/bin/view, twiki/bin/viewfile

See attached patch file TWiki200302-01-04patch.txt

-- PeterThoeny - 27 Sep 2005

Action Plan with Timeline

External Links

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3056
• http://secunia.com/advisories/16980/
• http://www.securityfocus.com/bid/14960

-- PeterThoeny - 28 Sep 2005

Discussions

I've just tried to apply patch file TWiki200409-03-04patch.txt (to an installation patched yesterday from 02 using the file attached to SecurityAlertExecuteCommandsWithRev) but I got one failure:

Patching file ./lib/TWiki/Store.pm using Plan A...
Hunk #1 failed at 451.
Hunk #2 succeeded at 470 with fuzz 2.
Hunk #3 succeeded at 578.
1 out of 3 hunks failed--saving rejects to ./lib/TWiki/Store.pm.rej

I'm not sure why it failed, since there doesn't seem to be a mismatch between the patch file and the code to be patched. (I'm running patch version 2.1, in case that's relevant.)

-- JamesAnderson - 28 Sep 2005

Same thing happened to me. This patch seems to be uncompatible with previous ones (03 Sep 2004). I suggest you to download the new TWiki release (04 Sep 2004) and replace the following files in your existing TWiki installation (unless you've manually hacked those files, of course).

• ./TWikiDocumentation.html
• ./license.txt
• ./readme.txt
• ./lib/TWiki.pm
• ./lib/TWiki/Store.pm
• ./lib/TWiki/UI/RDiff.pm
• ./lib/TWiki/UI/View.pm
• ./lib/TWiki/UI/Viewfile.pm

-- PabloHoffman - 28 Sep 2005

I got a similar report of patch failure. Possibly a whitespace issue? The standard procedure that should work is to go to the twiki root directory and to run command: patch -p0 < patchfile

-- PeterThoeny - 28 Sep 2005

Grr, 4th patch for Cairo, although Dakar is already ready for take-off. I suggest downloading Dakar directly from SVN for new users.

-- FranzJosefSilli - 28 Sep 2005

No, at this time I do not recommend Dakar for production use. Better to fix Sep 2004 installations with this patch or Florian's UncoordinatedSecurityAlert23Feb2005 patch.

-- PeterThoeny - 28 Sep 2005

Patching did not work for me either. This is the .rej File:

***************
*** 451,457 ****
      my( $theWeb, $theTopic, $theRev ) = @_;
      my $topicHandler = _getTopicHandler( $theWeb, $theTopic );

-     $theRev =~ s/^1\.//o;
      return $topicHandler->getRevision( $theRev );
  }

--- 451,459 ----
      my( $theWeb, $theTopic, $theRev ) = @_;
      my $topicHandler = _getTopicHandler( $theWeb, $theTopic );

+     $theRev =~ s/^r?1\.//o;
+     # Fix for Codev.SecurityAlertExecuteCommandsWithInclude
+     $theRev = "" unless( $theRev =~ s/^.*?([0-9]+).*$/$1/so );
      return $topicHandler->getRevision( $theRev );
  }

-- DanielSchneller - 29 Sep 2005

Before running patch -p0 < patchfile I usually test with a dry run first: patch -p0 --verbose --dry-run < patchfile. This way you see, if the patch runs smoothly.

And TWiki200409-03-04patch.txt doesn't.

Solutions: You can workaround by ignoring whitespace using patch with option -l or correct the failing hunk by editing the patch file TWiki200409-03-04patch.txt: at line 65, add five spaces.

@@ -451,7 +451,9 @@
     my( $theWeb, $theTopic, $theRev ) = @_;
     my $topicHandler = _getTopicHandler( $theWeb, $theTopic );
                                                                    <---- add five spaces here!
-    $theRev =~ s/^1\.//o;

-- DanielKabs - 30 Sep 2005