[UNIX] TWiki Search Function Arbitrary Command Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 11/15/04

  • Next message: SecuriTeam: "[NT] 04WebServer Multiple Vulnerabilities (CSS, Log File Injection, AUX DoS)" 
    To: list@securiteam.com
Date: 15 Nov 2004 19:19:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      TWiki Search Function Arbitrary Command Execution
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.twiki.org/> TWiki is "a web based collaboration platform".
    Due to insufficient parsing in the TWiki's search engine a remote
    attackers can cause the program to execute arbitrary code.

    DETAILS

    The TWiki search function uses a user supplied search string to compose a
    command line executed by the Perl backtick (``) operator.

    The search string is not checked properly for shell metacharacters and is
    thus vulnerable to search string containing quotes and shell commands.

    An example search string would be:
    doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/';
    fgrep -i -l -- 'doesnotexist2

    If access to the Wiki is not restricted by other means, attackers can use
    the search function without prior authentication.

    As indicated in the source code, the software authors were aware that the
    way they worked around Perl's taint check is insecure. Users of TWiki
    should reconsider if the software can meet their security requirements,
    given such gross negligence.

    Impact:
    An attacker is able to execute arbitrary shell commands with the
    privileges of the TWiki process.

    Unofficial patch:
    --- twiki/lib/TWiki/Search.pm.orig 2004-11-12 20:16:56.000000000 +0100
    +++ twiki/lib/TWiki/Search.pm 2004-11-12 20:36:21.000000000 +0100
    @@ -135,6 +135,11 @@
         my $tempVal = "";
         my $tmpl = "";
         my $topicCount = 0; # JohnTalintyre
    +
    + # Hotfix for search string shell code insertion vulnerability
    + $theSearchVal =~ s/[^A-Za-z0-9+\-_]//g; # only accept known-good chars
    + $theSearchVal = substr($theSearchVal, 0, 100); # limit string to
    reasonable length
    +
         my $originalSearch = $theSearchVal;
         my $renameTopic;
         my $renameWeb = "";

    Disclosure timeline:
    early October 2004 earliest confirmed attack
    2004-11-12 forensics revealed exploit, vendor contact, vendor responded,
    with less conservative hotfix
    2004-11-13 uncoordinated emergency disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:hun@bawue.de> Hans Ulrich
    Niedermann.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] 04WebServer Multiple Vulnerabilities (CSS, Log File Injection, AUX DoS)"

    Relevant Pages