Twiki Perl Code Execution

2014.10.10
Credit: Peter Thoeny
Risk: High
Local: No
Remote: Yes
CWE: CWE-74


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution. TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people. * Vulnerable Software Version * Attack Vectors * Impact * Severity Level * MITRE Name for this Vulnerability * Details * Countermeasures * Hotfix for TWiki Production Release 6.0.0 * Hotfix for Older Affected TWiki Releases * Verify Hotfix * Authors and Credits * Action Plan with Timeline * External Links * Feedback ---++ Vulnerable Software Version * TWiki-6.0.0 (TWikiRelease06x00x00) * TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04) * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02) * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02) * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04) * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02) * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05) ---++ Attack Vectors Using an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary. ---++ Impact A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to. ---++ Severity Level The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level: * Severity 1 issue: The web server can be compromised ---++ MITRE Name for this Vulnerability The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability. ---++ Details It is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example: http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit The TWiki site is vulnerable if you see a page with text "Vulnerable!". __Background:__ TWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name: <verbatim> my $p = $this->{module}; eval "use $p;"; </verbatim> ---++ Countermeasures * Apply hotfix (see patch below). * Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2] ---++ Hotfix for TWiki Production Release 6.0.0 Apply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch. NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache. Affected file: twiki/lib/TWiki/Plugins.pm Patch to sanitize the 'debugenableplugins' parameter: =======( 8>< CUT )=============================================== --- TWiki/Plugins.pm.save1 2014-01-09 02:10:56.000000000 -0500 +++ TWiki/Plugins.pm 2014-10-01 20:30:36.000000000 -0400 @@ -186,8 +186,11 @@ unless( $allDisabled ) { if ( $query && defined( $query->param( 'debugenableplugins' ))) { - @pluginList = split( /[,\s]+/, - $query->param( 'debugenableplugins' )); + @pluginList = + grep { /Plugin$/ } + map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter + split( /[,\s]+/, $query->param( 'debugenableplugins' )); + } else { if( $TWiki::cfg{PluginsOrder} ) { foreach my $plugin( split( /[,\s]+/, =======( 8>< CUT )=============================================== ---++ Hotfix for Older Affected TWiki Releases Apply above patch (line numbers may vary). ---++ Verify Hotfix To verify the patch add the following parameter to any TWiki topic: ?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit The site is vulnerable if a page is returned with text "Vulnerable!" ---++ Authors and Credits * Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the twiki-security@lists.sourceforge.netmailing list * PeterThoeny for creating the fix, patch and advisory * HideyoImazu for creating the TWiki-6.0.1 production release [2] ---++ Action Plan with Timeline * 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4] * 2014-10-01 - developer verifies issue - PeterThoeny * 2014-10-01 - developer fixes code - PeterThoeny * 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu * 2014-10-06 - security team creates advisory with hotfix - PeterThoeny * 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny * 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny * 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny ---++ External Links [1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess [2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01 [3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09) [4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList [5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList [6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList [7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org [8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558 ---++ Feedback Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09). Please send an e-mail to twiki-security@lists.sourceforge.net if you have any questions before Monday. -- Peter Thoeny - 2014-10-09 -- > Peter Thoeny - Peter09[at]Thoeny.org > http://bit.ly/MrTWiki - consulting on enterprise collaboration > http://TWiki.org - is your team already TWiki enabled? > Knowledge cannot be managed, it can be discovered and shared > This e-mail is: (_) private (_) ask first (x) public


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top