__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN TWiki "Search.pm" Shell Command Injection Vulnerability [TWiki Security Alert] November 16, 2004 21:00 GMT Number P-039 ______________________________________________________________________________ PROBLEM: An easily exploitable vulnerability has been found in TWiki. TWiki is a web-based collaboration platform. PLATFORM: TWiki Releases of 01Sep2004, 01Feb2003, 01Dec2001, 01Dec2000 DAMAGE: A user supplied search string containing the (' ') operator is not properly checked and allows an attacker to execute arbitrary code. SOLUTION: Install the security hotfix and follow the instructed countermeasures. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A remote attacker may execute shell ASSESSMENT: commands with the privileges of the web server process. CIAC has been advised that an exploit is available in the wild and is actively being used. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-039.shtml ORIGINAL BULLETIN: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecute CommandsWithSearch ______________________________________________________________________________ [***** Start TWiki Security Alert *****] Security Alert: TWiki search function allows arbitrary shell command execution * Vulnerable Software Version * Attack Vectors * Impact * Details * Countermeasures * Authors and Credits * Hotfix o Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004 o Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003 o Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001 o Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000 * Discussions Vulnerable Software Version * TWikiRelease01Sep2004 -- TWiki20040901.zip * TWikiRelease01Feb2003 -- TWiki20030201.zip * TWikiRelease01Dec2001 -- TWiki20011201.zip * TWikiRelease01Dec2000 -- TWiki20001201.zip * Subversion repository at http://ntwiki.ethermage.net:8181/svn/twiki/trunk (up to and including revision 3224, fixed in revision 3225) Attack Vectors HTTP GET requests towards the Wiki server (typically port 80/TCP). Usually, no prior authentication is necessary. Possibly also HTTP POST, but this is untested. Impact An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. Details The TWiki search function uses a user supplied search string to compose a command line executed by the Perl backtick (``) operator. The search string is not checked properly for shell metacharacters and is thus vulnerable to search string containing quotes and shell commands. An example search string would be: "test_vulnerability '; ls -la'" If access to TWiki is not restricted by other means, attackers can use the search function without prior authentication. Countermeasures * Apply hotfix (see patches at end of this e-mail). The hotfix is known to prevent the current attacks, but it might not be a complete fix. * Filter access to the web server. * Use the web server software to restrict access to the web pages served by TWiki. * Rewrite the code to use Perl code to open and scan the files instead of running fgrep in the shell. (slow) Authors and Credits Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws, Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny, Florian Weimer, Colas Nahaboo contributed to this advisory. Hotfix Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004 *** TWiki20040901/Search.pm 2004-11-12 11:54:47.000000000 -0800 --- ./Search.pm 2004-11-12 12:08:29.000000000 -0800 *************** *** 434,439 **** --- 434,446 ---- my $tempVal = ""; my $tmpl = ""; my $topicCount = 0; # JohnTalintyre + + # fix for Codev.SecurityAlertExecuteCommandsWithSearch + # vulnerability, search: "test_vulnerability '; ls -la'" + $theSearchVal =~ s/[\'\`]//g; # Filter ' and ` + $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... ) + $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length + my $originalSearch = $theSearchVal; my $renameTopic; my $renameWeb = ""; Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003 *** TWiki20030201/Search.pm 2004-11-12 12:11:52.000000000 -0800 --- ./Search.pm 2004-11-12 12:12:20.000000000 -0800 *************** *** 135,140 **** --- 135,147 ---- my $tempVal = ""; my $tmpl = ""; my $topicCount = 0; # JohnTalintyre + + # fix for Codev.SecurityAlertExecuteCommandsWithSearch + # vulnerability, search: "test_vulnerability '; ls -la'" + $theSearchVal =~ s/[\'\`]//g; # Filter ' and ` + $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... ) + $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length + my $originalSearch = $theSearchVal; my $renameTopic; my $renameWeb = ""; Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001 *** TWiki20011201/Search.pm 2004-11-12 12:15:55.000000000 -0800 --- ./Search.pm 2004-11-12 12:16:45.000000000 -0800 *************** *** 133,138 **** --- 133,145 ---- my $tempVal = ""; my $tmpl = ""; my $topicCount = 0; # JohnTalintyre + + # fix for Codev.SecurityAlertExecuteCommandsWithSearch + # vulnerability, search: "test_vulnerability '; ls -la'" + $theSearchVal =~ s/[\'\`]//g; # Filter ' and ` + $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... ) + $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length + my $originalSearch = $theSearchVal; my $renameTopic; my $renameWeb = ""; Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000 *** TWiki20001201/wikisearch.pm 2004-11-12 12:18:55.000000000 -0800 --- ./wikisearch.pm 2004-11-12 12:23:07.000000000 -0800 *************** *** 117,122 **** --- 117,129 ---- my $tempVal = ""; my $tmpl = ""; + + # fix for Codev.SecurityAlertExecuteCommandsWithSearch + # vulnerability, search: "test_vulnerability '; ls -la'" + $theSearchVal =~ s/[\'\`]//g; # Filter ' and ` + $theSearchVal =~ s/\@\(/\@\\\(/g; # Defuse @( ... ) + $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length + if( $doBookView ) { $tmpl = readTemplate( "searchbookview" ); } else { -- PeterThoeny - 12 Nov 2004 Discussions Refactored out SingleEntryPointForSystemCalls discussion. -- PeterThoeny - 14 Nov 2004 I applied the Cairo fix and felt safe smile ... and forgot about the update. Later some of my searches stopped working - very confusing at first. It was $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length (a hard and quiet ruler) truncating my search-criteria and thus invalidating the search. 200 seems like a pretty small length for a searchstring - and if it has to be small, users should at least be warned and search stopped. -- NielsKoldso - 14 Nov 2004 This has also stopped one of my searches from working. The second search on CodevBasicFormSearch has a search term with 272 characters. I tried to create a search to find others that wouldn't work but S EARCH{\"[^\"]{200}.*\" doesn't appear to work as a search term. I'm guessing that the {200} expands the previous item before the security check. smile -- SamHasler - 15 Nov 2004 yes, please raise (or eliminate) the limit; this change breaks several of my TWikiApplications. -- WillNorris - 15 Nov 2004 See SingleEntryPointForSystemCalls for an alternative patch against the Halloween beta. I'm using this on my site right now. -- KennethPorter - 16 Nov 2004 [***** End TWiki Security Alert *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of TWiki.Org for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-028: Cisco Vulnerability in Cisco Secure Access Control Server (ACS) EAP-TLS Authentication P-029: libxml and libxml2 Buffer Overflow P-030: Local Volume Manager (LVM) Vulnerability P-031: HP OpenView Operations (OVO) Remote Privilege Elevation Vulnerability P-032: GZIP Insecure Temporary Files P-033: "libgd" Integer Overflows P-034: Cisco IOS DHCP Blocked Interface Denial-of-Service P-035: iPlanet/Sun ONE Messaging Server Webmail Vulnerability P-036: Crafted Timed Attack Evades Cisco Security P-037: Sudo Environment Cleaning VulnerabilityP-038: Samba Vulnerabilities