Twiki Perl Code Execution

简介: This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution.
This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

   * Vulnerable Software Version
   * Attack Vectors
   * Impact
   * Severity Level
   * MITRE Name for this Vulnerability
   * Details
   * Countermeasures
   * Hotfix for TWiki Production Release 6.0.0
   * Hotfix for Older Affected TWiki Releases
   * Verify Hotfix
   * Authors and Credits
   * Action Plan with Timeline
   * External Links
   * Feedback

---++ Vulnerable Software Version

   * TWiki-6.0.0 (TWikiRelease06x00x00)
   * TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)
   * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
   * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
   * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
   * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
   * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)

---++ Attack Vectors

Using an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.

---++ Impact

A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level:

   * Severity 1 issue: The web server can be compromised 

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability. 

---++ Details

It is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example:

http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The TWiki site is vulnerable if you see a page with text "Vulnerable!".

__Background:__

TWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name:
<verbatim>
my $p = $this->{module};
eval "use $p;";
</verbatim>

---++ Countermeasures

   * Apply hotfix (see patch below).
   * Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]

---++ Hotfix for TWiki Production Release 6.0.0

Apply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.

NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.

Affected file: twiki/lib/TWiki/Plugins.pm

Patch to sanitize the 'debugenableplugins' parameter:

=======( 8>< CUT )===============================================
--- TWiki/Plugins.pm.save1   2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm   2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@
 
     unless( $allDisabled ) {
         if ( $query && defined( $query->param( 'debugenableplugins' ))) {
-            @pluginList = split( /[,\s]+/,
-                                 $query->param( 'debugenableplugins' ));
+            @pluginList =
+              grep { /Plugin$/ }
+              map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+              split( /[,\s]+/, $query->param( 'debugenableplugins' ));
+
         } else {
             if( $TWiki::cfg{PluginsOrder} ) {
                 foreach my $plugin( split( /[,\s]+/,
=======( 8>< CUT )===============================================

---++ Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

---++ Verify Hotfix

To verify the patch add the following parameter to any TWiki topic:

?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The site is vulnerable if a page is returned with text "Vulnerable!"

---++ Authors and Credits

   * Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the twiki-security@lists.sourceforge.netmailing list
   * PeterThoeny for creating the fix, patch and advisory
   * HideyoImazu for creating the TWiki-6.0.1 production release [2]

---++ Action Plan with Timeline

   * 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
   * 2014-10-01 - developer verifies issue - PeterThoeny
   * 2014-10-01 - developer fixes code - PeterThoeny
   * 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu
   * 2014-10-06 - security team creates advisory with hotfix - PeterThoeny
   * 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny
   * 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny
   * 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09)
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558

---++ Feedback

Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09).

Please send an e-mail to twiki-security@lists.sourceforge.net if you have any questions before Monday.

-- Peter Thoeny - 2014-10-09


--
> Peter Thoeny     - Peter09[at]Thoeny.org
> http://bit.ly/MrTWiki - consulting on enterprise collaboration
> http://TWiki.org - is your team already TWiki enabled?
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is:   (_) private    (_) ask first    (x) public
目录
相关文章
|
Ubuntu Unix Linux
成功解决ERROR: Unable to find the development tool `cc` in your path; please make sure that you have the
成功解决ERROR: Unable to find the development tool `cc` in your path; please make sure that you have the
成功解决ERROR: Unable to find the development tool `cc` in your path; please make sure that you have the
|
5月前
|
SQL 关系型数据库 MySQL
【Python】已解决:ERROR 1064 (42000): You have an error in your SQL syntax. check the manual that correspo
【Python】已解决:ERROR 1064 (42000): You have an error in your SQL syntax. check the manual that correspo
2697 0
|
5月前
|
开发者 Python
【Python】已解决:ERROR: Could not find a version that satisfies the requirement easyocr (from versions: n
【Python】已解决:ERROR: Could not find a version that satisfies the requirement easyocr (from versions: n
159 0
|
5月前
|
Java Python
【Python】已解决:ERROR: No matching distribution found for JPype
【Python】已解决:ERROR: No matching distribution found for JPype
407 0
|
5月前
|
Java 开发工具 git
【Python】已解决:ERROR: No matching distribution found for JPype1
【Python】已解决:ERROR: No matching distribution found for JPype1
355 0
|
5月前
|
开发者 Python
【Python】已完美解决:ERROR: Could not find a version that satisfies the requirement re
【Python】已完美解决:ERROR: Could not find a version that satisfies the requirement re
1149 0
python离线安装环境 解决 ERROR: Could not find a version that satisfies the requirement xxx 以及winError[10061]
python离线安装环境 解决 ERROR: Could not find a version that satisfies the requirement xxx 以及winError[10061]
Execution failed for task :Test:lintVitalRelease/Lint found fatal errors while assembling a release
Execution failed for task :Test:lintVitalRelease/Lint found fatal errors while assembling a release
123 0
|
测试技术 Ruby
Ruby的method_missing
用过ruby人对method_missing肯定不陌生,通常我们利用这一神技来实现调用不存在的方法,以便进行回调,利用它可以很方便的实现我们自己的DSL。 在学习method_missing之前,先理解下ruby方法调用过程 当ruby对象执行某一方法时,他需要找到这个方法,其查找流程如下: 1、查
180 0
|
Perl
configure error Perl version 5 is required!
configure error Perl version 5 is required!
235 0