VULNERABLE SOFTWARE VERSIONS
TWiki http://twiki.org/
- TWiki 20030201 (e.g. Debian Sarge)
- probably later versions
- Subversion repository at
<http://ntwiki.ethermage.net:8181/svn/twiki/trunk>
at least until revision 3224 (including)
ATTACK VECTORS
HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary.
Possibly also HTTP POST, but this is untested.
IMPACT
An attacker is able to execute arbitrary shell commands with the
privileges of the TWiki process.
DETAILS
The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.
The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell
commands.
An example search string would be:
doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep
-i -l -- 'doesnotexist2
If access to the Wiki is not restricted by other means, attackers can
use the search function without prior authentication.
As indicated in the source code, the software authors were aware that
the way they worked around Perl's taint check is insecure. Users of
TWiki should reconsider if the software can meet their security
requirements, given such gross negligence.
COUNTERMEASURES
- Hotfix (see patch at end of advisory)
The hotfix is known to prevent the current attacks, but it might
not be a complete fix.
- Filter access to the web server.
- Use the web server software to restrict access to the web pages
served by TWiki.
- Rewrite the TWiki code to correctly check user supplied strings.
- Rewrite the TWiki code to use Perl code to open and scan the files
instead of running commands in the shell.
AUTHORS AND CREDITS
Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws,
Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny,
Florian Weimer contributed to this advisory.
HOTFIX
--- twiki/lib/TWiki/Search.pm.orig 2004-11-12 20:16:56.000000000 +0100
+++ twiki/lib/TWiki/Search.pm 2004-11-12 20:36:21.000000000 +0100
@@ -135,6 +135,11 @@
my $tempVal = "";
my $tmpl = "";
my $topicCount = 0; # JohnTalintyre
+
+ # Hotfix for search string shell code insertion vulnerability
+ $theSearchVal =~ s/[^A-Za-z0-9+\-_]//g; # only accept known-good chars
+ $theSearchVal = substr($theSearchVal, 0, 100); # limit string to
reasonable length
+
my $originalSearch = $theSearchVal;
my $renameTopic;
my $renameWeb = "";
VULNERABILITY TIMELINE
early October 2004 earliest confirmed attack
2004-11-12 forensics revealed exploit
vendor contact
vendor responded, with less conservative hotfix
2004-11-13 uncoordinated emergency disclosure
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
