exploit the possibilities

TWiki 5.1.2 Command Execution

TWiki 5.1.2 Command Execution
Posted Dec 15, 2012
Authored by George Clark

TWiki versions 4.x and 5.1.0 through 5.1.2 suffers from a remote command execution vulnerability due to an underlying security issue in the Locale::Maketext CPAN module.

tags | exploit, remote
advisories | CVE-2012-6329
MD5 | 41ae99948927228a4790959c26fb1e74

TWiki 5.1.2 Command Execution

Change Mirror Download
This security advisory alerts you of a potential security issue with  
TWiki installations:
The %MAKETEXT{}% TWiki variable allows arbitrary shell command
execution. The problem is caused by an underlying security issue in
the Locale::Maketext CPAN module.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki Production Releases 5.1.x
* Hotfix for older affected TWiki Releases
* Authors and Credits
* Action Plan with Timeline
* External Links
* Feedback

---++ Vulnerable Software Version

* TWiki-5.1.0 to TWiki-5.1.2 (TWikiRelease05x01x00 to
TWikiRelease05x01x02)
* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)

---++ Attack Vectors

Editing wiki pages and HTTP POST requests towards a TWiki server with
enabled localization (typically port 80/TCP). Typically, prior
authentication is necessary.

---++ Impact

An unauthenticated remote attacker can execute arbitrary shell
commands as the webserver user, such as user nobody.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in
TWikiSecurityAlertProcess [1] and assigned the following severity level:

* Severity 1 issue: The web server can be compromised

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name
CVE-2012-6329 [7] to this vulnerability.

---++ Details

1. Shell Command execution: The %MAKETEXT{}% TWiki variable is used to
localize user interface content to a language of choice. Using a
specially crafted MAKETEXT, a malicious user can execute shell
commands by Perl backtick (``) operators. User input is passed to the
Perl "eval" command without first being sanitized. The problem is
caused by an underlying security issue in the Locale::Maketext CPAN
module. This works only in TWiki sites that have user interface
localization enabled.

In addition, there are two less severe issues with MAKETEXT:

2. Excessive memory allocation: %MAKETEXT{"This is [_9999999999999999]
Evil"}% will consume all memory and swap space attempting to
initialize all missing entries in the parameters array.

3. Crash: %MAKETEXT{"This is [_0] problematic"}% can cause a crash
under some circumstances.

---++ Countermeasures

* One of:
* Disable localization by setting configure flag
{UserInterfaceInternationalisation} to 0.
* Apply hotfix (see patch below).
* Upgrade to the latest patched production release TWiki-5.1.3
(TWikiRelease05x01x03) [2] when available.

* In addition:
* Install CPAN's Locale::Maketext version 1.23 or newer.
* Use the {SafeEnvPath} configure setting to restrict the possible
directories that are searched for executables. By default, this is
the PATH used by the webserver user. Set {SafeEnvPath} to a list of
non-writable directories, such as "/bin:/usr/bin".

---++ Hotfix for TWiki Production Release 5.1.x

Affected file: twiki/lib/TWiki.pm

Patch to sanitize MAKETEXT parameters:

=======( CUT 8><--- )===============================================
--- TWiki.pm (revision 24029)
+++ TWiki.pm (working copy)
@@ -4329,8 +4329,23 @@

# unescape parameters and calculate highest parameter number:
my $max = 0;
- $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
- $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 >
$max); "[$1]"/ge;
+ my $min = 1;
+ $str =~ s/~\[(\_(\d+))~\]/
+ $max = $2 if ($2 > $max);
+ $min = $2 if ($2 < $min);
+ "[$1]"/ge;
+ $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/
+ $max = $2 if ($2 > $max);
+ $min = $2 if ($2 < $min);
+ "[$1]"/ge;
+
+ # Item7080: Sanitize MAKETEXT variable:
+ return "MAKETEXT error: No more than 32 parameters are allowed"
if( $max > 32 );
+ return "MAKETEXT error: Parameter 0 is not allowed" if( $min < 1 );
+ if( $TWiki::cfg{UserInterfaceInternationalisation} ) {
+ eval { require Locale::Maketext; };
+ $str =~ s#\\#\\\\#g if( $@ || !$@ &&
$Locale::Maketext::VERSION < 1.23 );
+ }

# get the args to be interpolated.
my $argsStr = $params->{args} || "";
=======( CUT 8><--- )===============================================

This patch is also available separately [3] in case this gets mangled
by the e-mail.

On a properly patched system, %MAKETEXT{" [_99] "}% should return this
error: "MAKETEXT error: No more than 32 parameters are allowed"

---++ Hotfix for older affected TWiki Releases

Apply above patch (line numbers may vary).

---++ Authors and Credits

* Credit to TWiki:Main.GeorgeClark for disclosing the issue to the twiki-security@lists.sourceforge.net
mailing list, and for providing a proposed fix.
* TWiki:Main.PeterThoeny for creating the fix, patch and advisory.

---++ Action Plan with Timeline

* 2012-12-10: User discloses issue to TWikiSecurityMailingList [4],
George Clark, Foswiki
* 2012-12-10: Developer verifies issue, Peter Thoeny
* 2012-12-10: Developer fixes code, Peter Thoeny
* 2012-12-10: Security team creates advisory with hotfix, Peter Thoeny
* 2012-12-11: Developer verifies patch, Hideyo Imazu
* 2012-12-12: Send alert to TWikiAnnounceMailingList [5] and
TWikiDevMailingList [6], Peter Thoeny
* 2012-12-14: Publish advisory in Codev web and update all related
topics, Peter Thoeny
* 2012-12-14: Issue a public security advisory to full-
disclosure[at]lists.grok.org.uk, cert[at]cert.org,
vuln[at]secunia.com, bugs[at]securitytracker.com, Peter Thoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease05x01x03
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 - CVE
on MITRE.org

---++ Feedback

Please provide feedback at the security alert topic,
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329

-- Main.PeterThoeny - 2012-12-14

--
* Peter Thoeny - peter09[at]thoeny.org
* http://TWiki.org - is your team already TWiki enabled?
* Knowledge cannot be managed, it can be discovered and shared
* This e-mail is: (_) private (x) ask first (_) public


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close