exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Twiki Perl Code Execution

Twiki Perl Code Execution
Posted Oct 10, 2014
Authored by Peter Thoeny

The debugenableplugins request parameter in Twiki versions 4.x, 5.x, and 6.0.0 allows arbitrary Perl code execution.

tags | exploit, arbitrary, perl, code execution
advisories | CVE-2014-7236
SHA-256 | 7e6bafc3f4e27a15de8ac1ae847247abec86cca045f3b86848aeae7d24f79d02

Twiki Perl Code Execution

Change Mirror Download
This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution.

TWiki ( https://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki Production Release 6.0.0
* Hotfix for Older Affected TWiki Releases
* Verify Hotfix
* Authors and Credits
* Action Plan with Timeline
* External Links
* Feedback

---++ Vulnerable Software Version

* TWiki-6.0.0 (TWikiRelease06x00x00)
* TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)
* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)

---++ Attack Vectors

Using an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.

---++ Impact

A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level:

* Severity 1 issue: The web server can be compromised

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability.

---++ Details

It is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example:

https://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The TWiki site is vulnerable if you see a page with text "Vulnerable!".

__Background:__

TWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name:
<verbatim>
my $p = $this->{module};
eval "use $p;";
</verbatim>

---++ Countermeasures

* Apply hotfix (see patch below).
* Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]

---++ Hotfix for TWiki Production Release 6.0.0

Apply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.

NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.

Affected file: twiki/lib/TWiki/Plugins.pm

Patch to sanitize the 'debugenableplugins' parameter:

=======( 8>< CUT )===============================================
--- TWiki/Plugins.pm.save1 2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm 2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@

unless( $allDisabled ) {
if ( $query && defined( $query->param( 'debugenableplugins' ))) {
- @pluginList = split( /[,\s]+/,
- $query->param( 'debugenableplugins' ));
+ @pluginList =
+ grep { /Plugin$/ }
+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+ split( /[,\s]+/, $query->param( 'debugenableplugins' ));
+
} else {
if( $TWiki::cfg{PluginsOrder} ) {
foreach my $plugin( split( /[,\s]+/,
=======( 8>< CUT )===============================================

---++ Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

---++ Verify Hotfix

To verify the patch add the following parameter to any TWiki topic:

?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The site is vulnerable if a page is returned with text "Vulnerable!"

---++ Authors and Credits

* Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the twiki-security@lists.sourceforge.netmailing list
* PeterThoeny for creating the fix, patch and advisory
* HideyoImazu for creating the TWiki-6.0.1 production release [2]

---++ Action Plan with Timeline

* 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
* 2014-10-01 - developer verifies issue - PeterThoeny
* 2014-10-01 - developer fixes code - PeterThoeny
* 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu
* 2014-10-06 - security team creates advisory with hotfix - PeterThoeny
* 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny
* 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny
* 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny

---++ External Links

[1]: https://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: https://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01
[3]: https://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09)
[4]: https://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: https://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: https://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org
[8]: https://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558

---++ Feedback

Please provide feedback at the security alert topic, https://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09).

Please send an e-mail to twiki-security@lists.sourceforge.net if you have any questions before Monday.

-- Peter Thoeny - 2014-10-09


--
> Peter Thoeny - Peter09[at]Thoeny.org
> https://bit.ly/MrTWiki - consulting on enterprise collaboration
> https://TWiki.org - is your team already TWiki enabled?
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is: (_) private (_) ask first (x) public
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close