__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN TWiki INCLUE Function Allows Arbitrary Shell Command Execution [TWiki-Announce Security Alert] September 28, 2005 17:00 GMT Number P-316 ______________________________________________________________________________ PROBLEM: The TWiki INCLUDE function enables a malicious user to compose a command line executed by the Perl backtick ('') operator. The rev parameter of the INCLUDE variable is not checked properly for shell metacharacters and is thus vulnerable to revision numbers containing pipes and shell commands. PLATFORM: TWikiRelease03Sep2004 -- TWiki20040903.zip TWikiRelease02Sep2004 -- TWiki20040902.zip TWikiRelease01Sep2004 -- TWiki20040901.zip TWikiRelease01Feb2003 -- TWiki20030901.zip DAMAGE: An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker is able to execute arbitrary ASSESSMENT: shell commands with the privileges of the web server process, such as user nobody. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-316.shtml ORIGINAL BULLETIN: TWiki-Announce Security Alert http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecute CommandsWithInclude CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-3056 ______________________________________________________________________________ [***** Start TWiki-Announce Security Alert *****] Security Alert: TWiki INCLUDE function allows arbitrary shell command execution Please join the twiki-announce list: To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList This advisory alerts you of a potential security issue with your TWiki installation: The TWiki INCLUDE function allows arbitrary shell command execution. Please see also unrelated security audit on visible lib directories, SecurityAuditOnVisibleLibDir Vulnerable Software Version Attack Vectors Impact MITRE Name for this Vulnerability Details Countermeasures Authors and Credits Hotfix Patch for TWiki Production Release 03-Sep-2004 Patch for TWiki Production Release 02-Sep-2004 Patch for TWiki Production Release 01-Feb-2003 Action Plan with Timeline External Links Discussions Vulnerable Software Version TWikiRelease03Sep2004 -- TWiki20040903.zip TWikiRelease02Sep2004 -- TWiki20040902.zip TWikiRelease01Sep2004 -- TWiki20040901.zip TWikiRelease01Feb2003 -- TWiki20030201.zip Not affected are: Recent DakarReleases (upcoming production release, soon) TWikiRelease01Sep2004 patched with Florian Weimer's UncoordinatedSecurityAlert23Feb2005 Attack Vectors Editing wiki pages and HTTP GET requests towards the Wiki server (typically port 80/TCP). Typically, prior authentication is necessary (including anonymous TWikiGuest accounts). Impact An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-3056 to this vulnerability. Details The TWiki INCLUDE function enables a malicious user to compose a command line executed by the Perl backtick (``) operator. The rev parameter of the INCLUDE variable is not checked properly for shell metacharacters and is thus vulnerable to revision numbers containing pipes and shell commands. The exploit is possible on included topics with two or more revisions. Example INCLUDE variable exploiting the rev parameter: %INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }% The same vulnerability is exposed to all Plugins and add-ons that use TWiki::Func::readTopicText function to read a previous topic revision. This has been tested on TWiki:Plugins.RevCommentPlugin and TWiki:Plugins.CompareRevisionsAddon. If access to TWiki is not restricted by other means, attackers can use the revision function with or without prior authentication, depending on the configuration. See Also: IncludePreviousTopicRevision, SecurityAlertExecuteCommandsWithRev, SecurityAlertExecuteCommandsWithSearch, UncoordinatedSecurityAlert23Feb2005 Countermeasures Apply hotfix (see patches below) NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix Upgrade to the latest patched production TWikiRelease04Sep2004 NOTE: If you are running an unmodified TWikiRelease01Sep2004, TWikiRelease02Sep2004 or TWikiRelease03Sep2004, simply copy the following patched files from TWikiRelease04Sep2004 to your installation: lib/TWiki.pm, lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm Apply patch of UncoordinatedSecurityAlert23Feb2005 (but see known issues of that patch) Filter access to the web server Use the web server software to restrict access to the web pages served by TWiki Authors and Credits Credit to TWiki:Main.JChristophFuchs (jcf@ipp.mpgSTOPSPAM.de) and TWiki:Main.JoseLuna (luna@aditelSTOPSPAM.org) for disclosing the issue to the twiki-security@lists.sourceforgeSTOPSPAM.net mailing list TWiki:Main.JoseLuna for contributing a more robust patch to recent SecurityAlertExecuteCommandsWithRev issue (included in this patch) TWiki:Main.PeterThoeny, TWiki:Main.JoseLuna, TWiki:Main.CrawfordCurrie for contributing to the advisory and the patch Hotfix Patch for TWiki Production Release 03-Sep-2004 Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm See attached patch file TWiki200409-03-04patch.txt Patch for TWiki Production Release 02-Sep-2004 Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm See attached patch file TWiki200409-02-04patch.txt Patch for TWiki Production Release 01-Feb-2003 Note: This assumes that the release is already patched with SecurityAlertExecuteCommandsWithRev fix. Affected files: twiki/lib/TWiki/Store.pm, twiki/bin/rdiff, twiki/bin/view, twiki/bin/viewfile See attached patch file TWiki200302-01-04patch.txt -- PeterThoeny - 27 Sep 2005 Action Plan with Timeline # Action Date/ Deadline Status Who 1. User discloses issue to TWikiSecurityMailingList 2005-09-14 Done JChristophFuchs 2. Verify issue 2005-09-19 Done PeterThoeny 1. User discloses issue and proposed fix to TWikiSecurityMailingList 2005-09-20 Done JoseLuna 3. Create hotfix for affected TWikiProductionReleases 2005-09-20 Done PeterThoeny, JoseLuna 4. Create patched production TWikiRelease04Sep2004 2005-09-23 Done PeterThoeny 5. Compile e-mail list of administrators of public TWiki sites (based on Google search and TWikiInstallation directory, total 690) 2005-09-25 Done PeterThoeny 6. Initial alert: Alert TWikiDevMailingList members and administrators of public TWiki sites by e-mail 2005-09-25 evening PDT Done PeterThoeny 7. Send alert to TWikiAnnounceMailingList and TWikiDevMailingList 2005-09-27 evening PDT Done PeterThoeny 8. Publish advisory in Codev web and update all related topics 2005-09-27 evening PDT Done PeterThoeny 9. Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) 2005-09-28 Done PeterThoeny External Links http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3056 http://secunia.com/advisories/16980/ -- PeterThoeny - 28 Sep 2005 [***** End TWiki-Announce Security Alert *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of TWiki for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-306: Apple Java Security Updates P-307: TWiki History Function Vulnerability P-308: 'kcheckpass' Vulnerability P-309: VERITAS Storage Exec DCOM Server Buffer Overflows P-310: Firefox Security Update P-311: Mozilla Security Update P-312: Apple Security Update 2005-008 P-313: Courier P-314: RealPlayer & HelixPlayer Security Update P-315: Security Vulnerability in the Xsun(1) and Xprt(1) Commands