TWiki MAKETEXT Variable Allows Arbitrary Shell Command Execution

2012.12.14
Credit: Peter Thoeny
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

This security advisory alerts you of a potential security issue with TWiki installations: The %MAKETEXT{}% TWiki variable allows arbitrary shell command execution. The problem is caused by an underlying security issue in the Locale::Maketext CPAN module. * Vulnerable Software Version * Attack Vectors * Impact * Severity Level * MITRE Name for this Vulnerability * Details * Countermeasures * Hotfix for TWiki Production Releases 5.1.x * Hotfix for older affected TWiki Releases * Authors and Credits * Action Plan with Timeline * External Links * Feedback ---++ Vulnerable Software Version * TWiki-5.1.0 to TWiki-5.1.2 (TWikiRelease05x01x00 to TWikiRelease05x01x02) * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02) * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02) * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04) * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02) * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05) ---++ Attack Vectors Editing wiki pages and HTTP POST requests towards a TWiki server with enabled localization (typically port 80/TCP). Typically, prior authentication is necessary. ---++ Impact An unauthenticated remote attacker can execute arbitrary shell commands as the webserver user, such as user nobody. ---++ Severity Level The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level: * Severity 1 issue: The web server can be compromised ---++ MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CVE-2012-6329 [7] to this vulnerability. ---++ Details 1. Shell Command execution: The %MAKETEXT{}% TWiki variable is used to localize user interface content to a language of choice. Using a specially crafted MAKETEXT, a malicious user can execute shell commands by Perl backtick (``) operators. User input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in the Locale::Maketext CPAN module. This works only in TWiki sites that have user interface localization enabled. In addition, there are two less severe issues with MAKETEXT: 2. Excessive memory allocation: %MAKETEXT{"This is [_9999999999999999] Evil"}% will consume all memory and swap space attempting to initialize all missing entries in the parameters array. 3. Crash: %MAKETEXT{"This is [_0] problematic"}% can cause a crash under some circumstances. ---++ Countermeasures * One of: * Disable localization by setting configure flag {UserInterfaceInternationalisation} to 0. * Apply hotfix (see patch below). * Upgrade to the latest patched production release TWiki-5.1.3 (TWikiRelease05x01x03) [2] when available. * In addition: * Install CPAN's Locale::Maketext version 1.23 or newer. * Use the {SafeEnvPath} configure setting to restrict the possible directories that are searched for executables. By default, this is the PATH used by the webserver user. Set {SafeEnvPath} to a list of non-writable directories, such as "/bin:/usr/bin". ---++ Hotfix for TWiki Production Release 5.1.x Affected file: twiki/lib/TWiki.pm Patch to sanitize MAKETEXT parameters: =======( CUT 8><--- )=============================================== --- TWiki.pm (revision 24029) +++ TWiki.pm (working copy) @@ -4329,8 +4329,23 @@ # unescape parameters and calculate highest parameter number: my $max = 0; - $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge; - $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge; + my $min = 1; + $str =~ s/~\[(\_(\d+))~\]/ + $max = $2 if ($2 > $max); + $min = $2 if ($2 < $min); + "[$1]"/ge; + $str =~ s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ + $max = $2 if ($2 > $max); + $min = $2 if ($2 < $min); + "[$1]"/ge; + + # Item7080: Sanitize MAKETEXT variable: + return "MAKETEXT error: No more than 32 parameters are allowed" if( $max > 32 ); + return "MAKETEXT error: Parameter 0 is not allowed" if( $min < 1 ); + if( $TWiki::cfg{UserInterfaceInternationalisation} ) { + eval { require Locale::Maketext; }; + $str =~ s#\\#\\\\#g if( $@ || !$@ && $Locale::Maketext::VERSION < 1.23 ); + } # get the args to be interpolated. my $argsStr = $params->{args} || ""; =======( CUT 8><--- )=============================================== This patch is also available separately [3] in case this gets mangled by the e-mail. On a properly patched system, %MAKETEXT{" [_99] "}% should return this error: "MAKETEXT error: No more than 32 parameters are allowed" ---++ Hotfix for older affected TWiki Releases Apply above patch (line numbers may vary). ---++ Authors and Credits * Credit to TWiki:Main.GeorgeClark for disclosing the issue to the twiki-security () lists sourceforge net mailing list, and for providing a proposed fix. * TWiki:Main.PeterThoeny for creating the fix, patch and advisory. ---++ Action Plan with Timeline * 2012-12-10: User discloses issue to TWikiSecurityMailingList [4], George Clark, Foswiki * 2012-12-10: Developer verifies issue, Peter Thoeny * 2012-12-10: Developer fixes code, Peter Thoeny * 2012-12-10: Security team creates advisory with hotfix, Peter Thoeny * 2012-12-11: Developer verifies patch, Hideyo Imazu * 2012-12-12: Send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6], Peter Thoeny * 2012-12-14: Publish advisory in Codev web and update all related topics, Peter Thoeny * 2012-12-14: Issue a public security advisory to full- disclosure[at]lists.grok.org.uk, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, Peter Thoeny ---++ External Links [1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess [2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease05x01x03 [3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 [4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList [5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList [6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList [7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 - CVE on MITRE.org ---++ Feedback Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 -- Main.PeterThoeny - 2012-12-14 -- * Peter Thoeny - peter09[at]thoeny.org * http://TWiki.org - is your team already TWiki enabled? * Knowledge cannot be managed, it can be discovered and shared * This e-mail is: (_) private (x) ask first (_) public

References:

http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329
http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top