__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN TWiki History Function Vulnerability [Twiki Security Alert Execute Commands with Rev] September 15, 2005 17:00 GMT Number P-307 ______________________________________________________________________________ PROBLEM: A vulnerability was discovered in TWiki, a popular enterprise collaboration platform. PLATFORM: TWikiRelease02Sep2004 TWikiRelease01Sep2004 TWikiRelease01Feb2003 TWikiRelease01Dec2001 TWikiRelease01Dec2000 DAMAGE: An attacker may be able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. If access to TWiki is not restricted by other means, attackers can use the revision function without prior authentication. SOLUTION: Apply the security update. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. An attacker may be able to execute arbitrary ASSESSMENT: shell commands with the privileges of the web server process. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-307.shtml ORIGINAL BULLETIN: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecute CommandsWithRev ADDITIONAL LINK: Secunia Advisory SA16820 http://secunia.com/advisories/16820/ CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-2877 ______________________________________________________________________________ [***** Start Twiki Security Alert Execute Commands with Rev *****] Security Alert: TWiki history function allows arbitrary shell command execution ALERT! Please join the twiki-announce list: To get immediate alerts of high priority security issues, please join the low- volume twiki-announce list - details at TWikiAnnounceMailingList * Vulnerable Software Version * Attack Vectors * Impact * MITRE Name for this Vulnerability * Details * Countermeasures * Authors and Credits * Hotfix o Patch for TWiki Production Release 01-Sep-2004 and 02-Sep-2004 o Patch for TWiki Production Release 01-Feb-2003 o Patch for TWiki Production Release 01-Dec-2001 o Patch for TWiki Production Release 01-Dec-2000 * Action Plan with Timeline * Discussions Vulnerable Software Version * TWikiRelease02Sep2004 -- TWiki20040902.zip * TWikiRelease01Sep2004 -- TWiki20040901.zip * TWikiRelease01Feb2003 -- TWiki20030201.zip * TWikiRelease01Dec2001 -- TWiki20011201.zip * TWikiRelease01Dec2000 -- TWiki20001201.zip Not affected are: * Recent DakarReleases (upcoming production release, soon) * TWikiRelease01Sep2004 patched with Florian Weimer's UncoordinatedSecurityAlert23Feb2005 Attack Vectors HTTP GET requests towards the Wiki server (typically port 80/TCP). Usually, no prior authentication is necessary. Possibly also HTTP POST, but this is untested. Impact An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CAN- 2005-2877 to this vulnerability. Details The TWiki revision control function uses a user supplied URL parameter to compose a command line executed by the Perl backtick (``) operator. The URL parameter is not checked properly for shell metacharacters and is thus vulnerable to revision numbers containing pipes and shell commands. Exploit is possible on topics with two or more revisions. Example URL path with exploited rev parameter: /cgi- bin/view/Main/TWikiUsers?rev=2%20%7Cless%20/etc/passwd If access to TWiki is not restricted by other means, attackers can use the revision function without prior authentication. See Also: SecurityAlertExecuteCommandsWithSearch and UncoordinatedSecurityAlert23Feb2005 Countermeasures * Apply hotfix (see patches below) o NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix * Upgrade to the latest patched production TWikiRelease03Sep2004 o NOTE: If you are running an unmodified TWikiRelease02Sep2004, simply copy the patched lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm and lib/TWiki/UI/Viewfile.pm to your installation * Apply patch of UncoordinatedSecurityAlert23Feb2005 (but see known issues of that patch) * Filter access to the web server * Use the web server software to restrict access to the web pages served by TWiki Authors and Credits * Credit to B4dP4nd4 (b4dp4nd4@gmailSTOPSPAM.com) for disclosing the issue to the twiki-security@lists.sourceforgeSTOPSPAM.net mailing list * TWiki:Main.PeterThoeny, TWiki:Main.CrawfordCurrie, TWiki:Main.SvenDowideit, TWiki:Main.ColasNahaboo, TWiki:Main.WillNorris, TWiki:Main.RichardDonkin, B4dP4nd4 and Florian Weimer for contributing to this advisory Hotfix Patch for TWiki Production Release 01-Sep-2004 and 02-Sep-2004 Affected files: twiki/lib/TWiki/Store.pm, twiki/lib/TWiki/UI/RDiff.pm, twiki/lib/TWiki/UI/View.pm, twiki/lib/TWiki/UI/Viewfile.pm See also attached patch file TWiki200409-02-03.patch --- lib/TWiki/Store.pm.orig Thu Jul 22 01:43:40 2004 +++ lib/TWiki/Store.pm Thu Sep 8 21:30:44 2005 @@ -572,7 +572,9 @@ } $theRev = "" unless( $theRev ); - $theRev =~ s/^1\.//o; + $theRev =~ s/r?1\.//o; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o ); $topicHandler = _getTopicHandler( $theWebName, $theTopic, $attachment ) if( ! $topicHandler ); my( $rcsOut, $rev, $date, $user, $comment ) = $topicHandler- >getRevisionInfo( $theRev ); --- lib/TWiki/UI/RDiff.pm.orig Sun Aug 8 01:28:45 2004 +++ lib/TWiki/UI/RDiff.pm Thu Sep 8 21:33:13 2005 @@ -409,6 +409,9 @@ if( ! $rev2 ) { $rev2 = 0; } $rev1 =~ s/r?1\.//go; # cut 'r' and major $rev2 =~ s/r?1\.//go; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o ); + $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o ); if( $rev1 < 1 ) { $rev1 = $maxrev; } if( $rev1 > $maxrev ) { $rev1 = $maxrev; } if( $rev2 < 1 ) { $rev2 = 1; } --- lib/TWiki/UI/View.pm.orig Tue Aug 24 23:36:15 2004 +++ lib/TWiki/UI/View.pm Thu Sep 8 21:34:52 2005 @@ -107,6 +107,8 @@ if( $rev ) { $rev =~ s/r?1\.//go; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o ); if( $rev < 1 ) { $rev = 1; } if( $rev > $maxrev ) { $rev = $maxrev; } } else { --- lib/TWiki/UI/Viewfile.pm.orig Fri May 28 23:51:35 2004 +++ lib/TWiki/UI/Viewfile.pm Thu Sep 8 21:35:59 2005 @@ -43,6 +43,9 @@ my $fileName = $query->param( 'filename' ); my $rev = $query->param( 'rev' ) || ""; + $rev =~ s/r?1\.//o; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o ); return unless TWiki::UI::webExists( $webName, $topic ); Patch for TWiki Production Release 01-Feb-2003 Affected files: twiki/lib/TWiki/Store.pm, twiki/bin/rdiff, twiki/bin/view, twiki/bin/viewfile --- lib/TWiki/Store.pm.orig Sat Jan 4 17:36:56 2003 +++ lib/TWiki/Store.pm Thu Sep 8 23:10:58 2005 @@ -351,9 +351,11 @@ if( ! $theWebName ) { $theWebName = $TWiki::webName; } - - $theRev =~ s/^1\.//o; + $theRev =~ s/r?1\.//o; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $theRev = "" unless( $theRev =~ s/.*?([0-9]+).*/$1/o ); + $topicHandler = _getTopicHandler( $theWebName, $theTopic, $attachment ) if( ! $topicHandler ); my( $rcsOut, $rev, $date, $user, $comment ) = $topicHandler- >getRevisionInfo( $theRev ); --- bin/rdiff.orig Sat Feb 1 00:57:32 2003 +++ bin/rdiff Thu Sep 8 23:18:05 2005 @@ -155,6 +155,9 @@ if( ! $rev2 ) { $rev2 = 0; } $rev1 =~ s/r?1\.//go; # cut 'r' and major $rev2 =~ s/r?1\.//go; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o ); + $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o ); if( $rev1 < 1 ) { $rev1 = $maxrev; } if( $rev1 > $maxrev ) { $rev1 = $maxrev; } if( $rev2 < 1 ) { $rev2 = 1; } --- bin/view.orig Thu Jan 30 00:21:25 2003 +++ bin/view Thu Sep 8 23:13:47 2005 @@ -123,6 +123,8 @@ writeDebug( "maxrev = $maxrev" ); if( $rev ) { $rev =~ s/r?1\.//go; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o ); if( $rev < 1 ) { $rev = 1; } if( $rev > $maxrev ) { $rev = $maxrev; } } else { --- bin/viewfile.orig Sun Jan 5 00:36:54 2003 +++ bin/viewfile Thu Sep 8 23:14:54 2005 @@ -63,6 +63,9 @@ my $fileName = $query->param( 'filename' ); my $rev = $query->param( 'rev' ) || ""; + $rev =~ s/r?1\.//o; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o ); my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic, $fileName ); if( ( $rev ) && ( $rev ne $topRev ) ) { Patch for TWiki Production Release 01-Dec-2001 Affected files: twiki/bin/rdiff, twiki/bin/view, twiki/bin/viewfile --- bin/rdiff.orig Tue Nov 13 18:59:02 2001 +++ bin/rdiff Thu Sep 8 23:51:50 2005 @@ -149,6 +149,9 @@ if( ! $rev2 ) { $rev2 = 0; } $rev1 =~ s/r?1\.//go; # cut 'r' and major $rev2 =~ s/r?1\.//go; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o ); + $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o ); if( $rev1 < 1 ) { $rev1 = $maxrev; } if( $rev1 > $maxrev ) { $rev1 = $maxrev; } if( $rev2 < 1 ) { $rev2 = 1; } --- bin/view.orig Mon Dec 3 09:11:20 2001 +++ bin/view Thu Sep 8 23:52:57 2005 @@ -114,6 +114,8 @@ writeDebug( "maxrev = $maxrev" ); if( $rev ) { $rev =~ s/r?1\.//go; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o ); if( $rev < 1 ) { $rev = 1; } if( $rev > $maxrev ) { $rev = $maxrev; } } else { --- bin/viewfile.orig Fri Oct 5 18:03:20 2001 +++ bin/viewfile Thu Sep 8 23:53:45 2005 @@ -62,6 +62,9 @@ my $fileName = $query->param( 'filename' ); my $rev = $query->param( 'rev' ) || ""; + $rev =~ s/r?1\.//o; # cut 'r' and major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev = "" unless( $rev =~ s/.*?([0-9]+).*/$1/o ); my $topRev = &TWiki::Store::getRevisionNumber( $webName, $topic, $fileName ); if( ( $rev ) && ( $rev ne $topRev ) ) { Patch for TWiki Production Release 01-Dec-2000 Affected files: twiki/bin/rdiff, twiki/bin/view --- bin/rdiff.orig Tue Nov 14 23:08:48 2000 +++ bin/rdiff Fri Sep 9 00:04:25 2005 @@ -139,6 +139,9 @@ if( ! $rev2 ) { $rev2 = 0; } $rev1 =~ s/1\.//go; # cut major $rev2 =~ s/1\.//go; # cut major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev1 = $maxrev unless( $rev1 =~ s/.*?([0-9]+).*/$1/o ); + $rev2 = $maxrev unless( $rev2 =~ s/.*?([0-9]+).*/$1/o ); if( $rev1 < 1 ) { $rev1 = $maxrev; } if( $rev1 > $maxrev ) { $rev1 = $maxrev; } if( $rev2 < 1 ) { $rev2 = 1; } --- bin/view.orig Tue Nov 14 23:14:31 2000 +++ bin/view Fri Sep 9 00:05:10 2005 @@ -77,6 +77,8 @@ $maxrev =~ s/1\.//go; # cut major if( $rev ) { $rev =~ s/1\.//go; # cut major + # Fix for Codev.SecurityAlertExecuteCommandsWithRev + $rev = $maxrev unless( $rev =~ s/.*?([0-9]+).*/$1/o ); if( $rev < 1 ) { $rev = 1; } if( $rev > $maxrev ) { $rev = $maxrev; } $text= &wiki::readVersion( $topic, "1.$rev" ); -- PeterThoeny - 09 Sep 2005 Action Plan with Timeline # Action Date/ Deadline Status Who 1. Researcher discloses issue to TWikiSecurityMailingList 2005-09-09 Done B4dP4nd4 2. Verify issue 2005-09-09 Done PeterThoeny 3. Create hotfix for affected TWikiProductionReleases 2005-09-11 Done PeterThoeny 4. Create patched production TWikiRelease03Sep2004 2005-09-11 Done PeterThoeny 5. Compile e-mail list of administrators of public TWiki sites (based on Google search and TWikiInstallation directory, total 690) 2005-09-10 Done PeterThoeny 6. Initial alert: Alert TWikiDevMailingList members and administrators of public TWiki sites by e-mail 2005-09-11 evening PDT Done PeterThoeny 7. Send alert to TWikiAnnounceMailingList members 2005-09-13 evening PDT Done PeterThoeny 8. Issue a public security advisory 2005-09-13 evening PDT B4dP4nd4 9. Publish advisory in Codev web 2005-09-13 evening PDT Done PeterThoeny Discussions Patches do not apply cleanly due to patch format issues, at least for me on Debian using GNU patch 2.5.4. Please see my email on twiki-security list. -- RichardDonkin - 13 Sep 2005 I compared Colas' diff and my diff. I think the issue is that my diffs have an extra leading "diff" line. I removed that. -- PeterThoeny - 13 Sep 2005 forgive my ignorance, but i should be able to run "patch -i TWiki200409-02- 03.patch" right? If I try with the --dry-run option it complains it can't find the files for the code changes, but it appears to find licence.text, readme.txt and TwikiDocumentation.html ok. I also tried copy/pasting the code blocks given in the page and patching that, same deal. Any ideas? -- MattEstela - 14 Sep 2005 Go to the twiki root directory and use this command: patch -p0 < patchfile This worked on all machines I patched... -- ThomasWeigert - 15 Sep 2005 PLEASE read http://search.cpan.org/dist/perl/pod/perlipc.pod#Safe_Pipe_Opens to see how to see how to do safe pipe opens - it is very difficult to sanitize arguments sufficiently to make them safe enough to pass to the shell. The patch for the earlier vulnerability also suffered from the same problem. -- AlanBurlison - 15 Sep 2005 That article is good, though it doesn't suggest the trouble we had in DakarRelease getting safe pipes to work on all perls. We still don't have a perfect solution for ActiveState on IIS with no Cygwin, though I think our solution is adequate. -- CrawfordCurrie - 15 Sep 2005 Bugtraq entry http://www.securityfocus.com/bid/14834 was filed on 14 Sep 2005 -- PeterThoeny - 15 Sep 2005 [***** End Twiki Security Alert Execute Commands with Rev *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Twiki for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-297: HP OpenView Event Correlation Services Vulnerability P-298: Sun iPlanet Messaging Server Vulnerability P-299: 'cvsbug' Security Update P-300: Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Vulnerability P-301: httpd Security Update P-302: Cisco CSS SSL Authentication Bypass Security Notice P-303: Firefox and Mozilla Buffer Overflow Vulnerability P-304: XFree86 Security Update P-305: Sun JAR File Contents Disclosure P-306: Apple Java Security Updates