Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 71035 - www-apps/twiki arbitary command execution
Summary: www-apps/twiki arbitary command execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest major (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-12 22:25 UTC by Kevin Stadmeyer
Modified: 2004-11-24 01:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Stadmeyer 2004-11-12 22:25:01 UTC
Note It doesnt appear (from looking at other unresolved, non security bugs) that twiki actually works out of the box on gentoo and is currently masked for x86 but is available for ppc. In any case should probably be bumped to the latest version. 20040901 (CairoRelease)

################################################
Full Disclosure Vulnernability
################################################
VULNERABLE SOFTWARE VERSIONS

TWiki http://twiki.org/

- TWiki 20030201 (e.g. Debian Sarge)
- probably later versions

- Subversion repository at
  <http://ntwiki.ethermage.net:8181/svn/twiki/trunk>
  at least until revision 3224 (including)


ATTACK VECTORS

HTTP GET requests towards the Wiki server (typically port 80/TCP).
Usually, no prior authentication is necessary.

Possibly also HTTP POST, but this is untested.


IMPACT

An attacker is able to execute arbitrary shell commands with the
privileges of the TWiki process.


DETAILS

The TWiki search function uses a user supplied search string to
compose a command line executed by the Perl backtick (``) operator.

The search string is not checked properly for shell metacharacters
and is thus vulnerable to search string containing quotes and shell
commands.

An example search string would be:

doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2

If access to the Wiki is not restricted by other means, attackers can
use the search function without prior authentication.

As indicated in the source code, the software authors were aware that
the way they worked around Perl's taint check is insecure. Users of
TWiki should reconsider if the software can meet their security
requirements, given such gross negligence.


COUNTERMEASURES

  - Hotfix (see patch at end of advisory)
    The hotfix is known to prevent the current attacks, but it might
    not be a complete fix.
  - Filter access to the web server.
  - Use the web server software to restrict access to the web pages
    served by TWiki.
  - Rewrite the TWiki code to correctly check user supplied strings.
  - Rewrite the TWiki code to use Perl code to open and scan the files
    instead of running commands in the shell.


AUTHORS AND CREDITS

  Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws,
  Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny,
  Florian Weimer contributed to this advisory.


HOTFIX

--- twiki/lib/TWiki/Search.pm.orig	2004-11-12 20:16:56.000000000 +0100
+++ twiki/lib/TWiki/Search.pm	2004-11-12 20:36:21.000000000 +0100
@@ -135,6 +135,11 @@
     my $tempVal = "";
     my $tmpl = "";
     my $topicCount = 0; # JohnTalintyre
+    
+    # Hotfix for search string shell code insertion vulnerability
+    $theSearchVal =~ s/[^A-Za-z0-9+\-_]//g; # only accept known-good chars
+    $theSearchVal = substr($theSearchVal, 0, 100); # limit string to reasonable length
+    
     my $originalSearch = $theSearchVal;
     my $renameTopic;
     my $renameWeb = "";


VULNERABILITY TIMELINE

  early October 2004   earliest confirmed attack

  2004-11-12           forensics revealed exploit
                       vendor contact
                       vendor responded, with less conservative hotfix

  2004-11-13           uncoordinated emergency disclosure

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-12 23:13:28 UTC
web-apps please review and advise.
Comment 2 Dan Margolis (RETIRED) gentoo-dev 2004-11-14 09:50:33 UTC
Added web-apps CC. Please review and fix.  
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-11-15 07:23:50 UTC
Explanation and patches @
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-11-21 14:04:55 UTC
tigger^: urgent fix needed on this one too
Comment 5 rob holland (RETIRED) gentoo-dev 2004-11-21 15:08:49 UTC
version bumped. the only testing I've done for this was to test that it installed the files correctly, I don't have knowledge of the app to test it properly.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-22 00:44:05 UTC
ppc please test and mark stable.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-11-22 00:48:59 UTC
tigger^: thx for the bump... but the fix version in 20040902, not 20040901, and I don't see any patches applied to 20040901 in the ebuild, so I guess this is still vulnerable.

tigger or web-apps : we still need to bump to 20040902. There is an exploit out there, so this is prio 1.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-11-22 00:50:18 UTC
Ebuild not ready yet, unplugging ppc
Comment 9 rob holland (RETIRED) gentoo-dev 2004-11-22 01:44:36 UTC
bumped again. in my defense I just did what it said in the first comment ;P
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-22 01:51:03 UTC
thx rob.

ppc please test twiki-20040902 and mark stable.
Comment 11 Joe Jezak (RETIRED) gentoo-dev 2004-11-24 00:21:27 UTC
Tested and marked stable on ppc.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-24 01:22:19 UTC
GLSA 200411-33