Privacy and Legal Notice

CIAC INFORMATION BULLETIN

P-316: TWiki INCLUE Function Allows Arbitrary Shell Command Execution

[TWiki-Announce Security Alert]

September 28, 2005 17:00 GMT
PROBLEM: The TWiki INCLUDE function enables a malicious user to compose a command line executed by the Perl backtick ('') operator. The rev parameter of the INCLUDE variable is not checked properly for shell metacharacters and is thus vulnerable to revision numbers containing pipes and shell commands.
PLATFORM: TWikiRelease03Sep2004 -- TWiki20040903.zip
TWikiRelease02Sep2004 -- TWiki20040902.zip
TWikiRelease01Sep2004 -- TWiki20040901.zip
TWikiRelease01Feb2003 -- TWiki20030901.zip
DAMAGE: An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody.
SOLUTION: Upgrade to the appropriate version.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-316.shtml
  ORIGINAL BULLETIN: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude
  CVE: CVE-2005-3056 
[***** Start TWiki-Announce Security Alert *****]


Security Alert: TWiki INCLUDE function allows arbitrary shell command execution 

 Please join the
twiki-announce list:  To get immediate alerts of high priority security issues, please join the low-volume twiki-announce list - details at TWikiAnnounceMailingList  


This advisory alerts you of a potential security issue with your TWiki installation: The TWiki INCLUDE function allows arbitrary shell command execution. 

Please see also unrelated security audit on visible lib directories, SecurityAuditOnVisibleLibDir 


Vulnerable Software Version 
Attack Vectors 
Impact 
MITRE Name for this Vulnerability 
Details 
Countermeasures 
Authors and Credits 
Hotfix 
Patch for TWiki Production Release 03-Sep-2004 
Patch for TWiki Production Release 02-Sep-2004 
Patch for TWiki Production Release 01-Feb-2003 
Action Plan with Timeline 
External Links 
Discussions 


Vulnerable Software Version 


TWikiRelease03Sep2004 -- TWiki20040903.zip 
TWikiRelease02Sep2004 -- TWiki20040902.zip 
TWikiRelease01Sep2004 -- TWiki20040901.zip 
TWikiRelease01Feb2003 -- TWiki20030201.zip 

Not affected are: 
Recent DakarReleases (upcoming production release, soon) 
TWikiRelease01Sep2004 patched with Florian Weimer's UncoordinatedSecurityAlert23Feb2005 



Attack Vectors 

Editing wiki pages and HTTP GET requests towards the Wiki server (typically port 80/TCP). Typically, prior authentication is necessary (including anonymous TWikiGuest accounts). 




Impact 

An attacker is able to execute arbitrary shell commands with the privileges of the web server process, such as user nobody. 




MITRE Name for this Vulnerability 

The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-3056 to this vulnerability. 




Details 

The TWiki INCLUDE function enables a malicious user to compose a command line executed by the Perl backtick (``) operator. 

The rev parameter of the INCLUDE variable is not checked properly for shell metacharacters and is thus vulnerable to revision numbers containing pipes and shell commands. The exploit is possible on included topics with two or more revisions. 

Example INCLUDE variable exploiting the rev parameter:
%INCLUDE{ "Main.TWikiUsers" rev="2|less /etc/passwd" }% 

The same vulnerability is exposed to all Plugins and add-ons that use TWiki::Func::readTopicText function to read a previous topic revision. This has been tested on TWiki:Plugins.RevCommentPlugin and  TWiki:Plugins.CompareRevisionsAddon. 

If access to TWiki is not restricted by other means, attackers can use the revision function with or without prior authentication, depending on the configuration. 

See Also: IncludePreviousTopicRevision, SecurityAlertExecuteCommandsWithRev, SecurityAlertExecuteCommandsWithSearch, UncoordinatedSecurityAlert23Feb2005 




Countermeasures 


Apply hotfix (see patches below) 
NOTE: The hotfix is known to prevent the current attacks, but it might not be a complete fix 
Upgrade to the latest patched production TWikiRelease04Sep2004 
NOTE: If you are running an unmodified TWikiRelease01Sep2004, TWikiRelease02Sep2004 or TWikiRelease03Sep2004, simply copy the following patched files from TWikiRelease04Sep2004 to your installation: lib/TWiki.pm, lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm 
Apply patch of UncoordinatedSecurityAlert23Feb2005 (but see known issues of that patch) 
Filter access to the web server 
Use the web server software to restrict access to the web pages served by TWiki 


Authors and Credits 


Credit to TWiki:Main.JChristophFuchs (jcf@ipp.mpgSTOPSPAM.de) and TWiki:Main.JoseLuna (luna@aditelSTOPSPAM.org) for disclosing the issue to the twiki-security@lists.sourceforgeSTOPSPAM.net mailing list 
TWiki:Main.JoseLuna for contributing a more robust patch to recent SecurityAlertExecuteCommandsWithRev issue (included in this patch) 
TWiki:Main.PeterThoeny, TWiki:Main.JoseLuna, TWiki:Main.CrawfordCurrie for contributing to the advisory and the patch 



Hotfix 



Patch for TWiki Production Release 03-Sep-2004 

Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm 

See attached patch file 
TWiki200409-03-04patch.txt 




Patch for TWiki Production Release 02-Sep-2004 

Affected files: twiki/lib/TWiki.pm, twiki/lib/TWiki/Store.pm, lib/TWiki/UI/RDiff.pm, lib/TWiki/UI/View.pm, lib/TWiki/UI/Viewfile.pm 

See attached patch file 
TWiki200409-02-04patch.txt 




Patch for TWiki Production Release 01-Feb-2003 

Note: This assumes that the release is already patched with SecurityAlertExecuteCommandsWithRev fix. 

Affected files: twiki/lib/TWiki/Store.pm, twiki/bin/rdiff, twiki/bin/view, twiki/bin/viewfile 

See attached patch file 
TWiki200302-01-04patch.txt 

-- PeterThoeny - 27 Sep 2005 


Action Plan with Timeline 
#  Action  Date/ Deadline  Status  Who  
1.  User discloses issue to TWikiSecurityMailingList  2005-09-14  Done  JChristophFuchs  
2.  Verify issue  2005-09-19  Done  PeterThoeny  
1.  User discloses issue and proposed fix to TWikiSecurityMailingList  2005-09-20  Done  JoseLuna  
3.  Create hotfix for affected TWikiProductionReleases  2005-09-20  Done  PeterThoeny, JoseLuna  
4.  Create patched production TWikiRelease04Sep2004  2005-09-23  Done  PeterThoeny  
5.  Compile e-mail list of administrators of public TWiki sites (based on Google search and TWikiInstallation directory, total 690)  2005-09-25  Done  PeterThoeny  
6.  Initial alert: Alert TWikiDevMailingList members and administrators of public TWiki sites by e-mail  2005-09-25 evening PDT  Done  PeterThoeny  
7.  Send alert to TWikiAnnounceMailingList and TWikiDevMailingList  2005-09-27 evening PDT  Done  PeterThoeny  
8.  Publish advisory in Codev web and update all related topics  2005-09-27 evening PDT  Done  PeterThoeny  
9.  Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org)  2005-09-28  Done  PeterThoeny  




External Links 



http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3056 
http://secunia.com/advisories/16980/ 
-- PeterThoeny - 28 Sep 2005 



[***** End TWiki-Announce Security Alert *****]
CIAC wishes to acknowledge the contributions of TWiki for the information contained in this bulletin.
DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/