P-039: TWiki "Search.pm" Shell Command Injection Vulnerability

P-039: TWiki "Search.pm" Shell Command Injection Vulnerability Privacy and Legal Notice INFORMATION BULLETIN P-039: TWiki "Search.pm" Shell Command Injection Vulnerability [TWiki Security Alert] November 16, 2004 21:00 GMT


PROBLEM:	An easily exploitable vulnerability has been found in TWiki. TWiki is a web-based collaboration platform.
PLATFORM:	TWiki Releases of 01Sep2004, 01Feb2003, 01Dec2001, 01Dec2000
DAMAGE:	A user supplied search string containing the (' ') operator is not properly checked and allows an attacker to execute arbitrary code.
SOLUTION:	Install the security hotfix and follow the instructed countermeasures.

VULNERABILITY ASSESSMENT:	The risk is MEDIUM. A remote attacker may execute shell commands with the privileges of the web server process. CIAC has been advised that an exploit is available in the wild and is actively being used.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/p-039.shtml
ORIGINAL BULLETIN:	http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch

[***** Start TWiki Security Alert *****]

Security Alert: TWiki search function allows arbitrary shell command execution

    * Vulnerable Software Version
    * Attack Vectors
    * Impact
    * Details
    * Countermeasures
    * Authors and Credits
    * Hotfix
       o Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004
       o Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003
       o Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001
       o Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000
    * Discussions

Vulnerable Software Version

    * TWikiRelease01Sep2004 -- TWiki20040901.zip
    * TWikiRelease01Feb2003 -- TWiki20030201.zip
    * TWikiRelease01Dec2001 -- TWiki20011201.zip
    * TWikiRelease01Dec2000 -- TWiki20001201.zip
    * Subversion repository at http://ntwiki.ethermage.net:8181/svn/twiki/trunk
      (up to and including revision 3224, fixed in revision 3225)

Attack Vectors

HTTP GET requests towards the Wiki server (typically port 80/TCP). Usually, 
no prior authentication is necessary.

Possibly also HTTP POST, but this is untested.

Impact

An attacker is able to execute arbitrary shell commands with the privileges 
of the web server process, such as user nobody.

Details

The TWiki search function uses a user supplied search string to compose 
a command line executed by the Perl backtick (``) operator.

The search string is not checked properly for shell metacharacters and is 
thus vulnerable to search string containing quotes and shell commands.

An example search string would be: "test_vulnerability '; ls -la'"

If access to TWiki is not restricted by other means, attackers can use the 
search function without prior authentication.

Countermeasures

    * Apply hotfix (see patches at end of this e-mail). The hotfix is known 
      to prevent the current attacks, but it might not be a complete fix.
    * Filter access to the web server.
    * Use the web server software to restrict access to the web pages served 
      by TWiki.
    * Rewrite the code to use Perl code to open and scan the files instead 
      of running fgrep in the shell. (slow)

Authors and Credits

Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws, Hans Ulrich Niedermann, 
Andreas Thienemann, Peter Thoeny, Florian Weimer, Colas Nahaboo contributed 
to this advisory.

Hotfix

Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Sep-2004

*** TWiki20040901/Search.pm  2004-11-12 11:54:47.000000000 -0800
--- ./Search.pm 2004-11-12 12:08:29.000000000 -0800
***************
*** 434,439 ****
--- 434,446 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/[\'\`]//g;                  # Filter ' and `
+     $theSearchVal =~ s/\@\(/\@\\\(/g;              # Defuse @( ... )
+     $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Feb-2003

*** TWiki20030201/Search.pm     2004-11-12 12:11:52.000000000 -0800
--- ./Search.pm 2004-11-12 12:12:20.000000000 -0800
***************
*** 135,140 ****
--- 135,147 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/[\'\`]//g;                  # Filter ' and `
+     $theSearchVal =~ s/\@\(/\@\\\(/g;              # Defuse @( ... )
+     $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

Patch for twiki/lib/TWiki/Search.pm of TWiki Production Release 01-Dec-2001

*** TWiki20011201/Search.pm     2004-11-12 12:15:55.000000000 -0800
--- ./Search.pm 2004-11-12 12:16:45.000000000 -0800
***************
*** 133,138 ****
--- 133,145 ----
      my $tempVal = "";
      my $tmpl = "";
      my $topicCount = 0; # JohnTalintyre
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/[\'\`]//g;                  # Filter ' and `
+     $theSearchVal =~ s/\@\(/\@\\\(/g;              # Defuse @( ... )
+     $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length
+
      my $originalSearch = $theSearchVal;
      my $renameTopic;
      my $renameWeb = "";

Patch for twiki/bin/wikisearch.pm of TWiki Production Release 01-Dec-2000

*** TWiki20001201/wikisearch.pm 2004-11-12 12:18:55.000000000 -0800
--- ./wikisearch.pm     2004-11-12 12:23:07.000000000 -0800
***************
*** 117,122 ****
--- 117,129 ----

      my $tempVal = "";
      my $tmpl = "";
+
+     # fix for Codev.SecurityAlertExecuteCommandsWithSearch
+     # vulnerability, search: "test_vulnerability '; ls -la'"
+     $theSearchVal =~ s/[\'\`]//g;                  # Filter ' and `
+     $theSearchVal =~ s/\@\(/\@\\\(/g;              # Defuse @( ... )
+     $theSearchVal = substr($theSearchVal, 0, 200); # Limit string length
+
      if( $doBookView ) {
          $tmpl = readTemplate( "searchbookview" );
      } else {

-- PeterThoeny - 12 Nov 2004

Discussions

Refactored out SingleEntryPointForSystemCalls discussion.

-- PeterThoeny - 14 Nov 2004

I applied the Cairo fix and felt safe smile
... and forgot about the update.

Later some of my searches stopped working - very confusing at first. It was
$theSearchVal = substr($theSearchVal, 0, 200); # Limit string length
(a hard and quiet ruler) truncating my search-criteria and thus invalidating 
the search.

200 seems like a pretty small length for a searchstring - and if it has to be 
small, users should at least be warned and search stopped.

-- NielsKoldso - 14 Nov 2004

This has also stopped one of my searches from working. The second search on 
CodevBasicFormSearch has a search term with 272 characters.

I tried to create a search to find others that wouldn't work but S
EARCH{\"[^\"]{200}.*\" doesn't appear to work as a search term. 
I'm guessing that the {200} expands the previous item before the 
security check. smile

-- SamHasler - 15 Nov 2004

yes, please raise (or eliminate) the limit; this change breaks several of my 
TWikiApplications.

-- WillNorris - 15 Nov 2004

See SingleEntryPointForSystemCalls for an alternative patch against the Halloween 
beta. I'm using this on my site right now.

-- KennethPorter - 16 Nov 2004 

[***** End TWiki Security Alert *****]

CIAC wishes to acknowledge the contributions of TWiki.Org for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]