TWiki exploit (search.pm / CAN-2004-1037)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: TWiki exploit (search.pm / CAN-2004-1037)
From: Roman Medina-Heigl Hernandez <roman@xxxxxxxxxxx>
Date: Fri, 19 Nov 2004 21:12:00 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bugtraqers,

I discovered the recently published vulnerability in TWiki (read more about
it on [1]) and coded a simple working exploit some time ago. It is attached
here or you can download it from [2].

The exploit is written in Perl and has been tested on both Linux and Win32.
Run with no arguments to see supported options. It's beta but it works
(against TWiki "BeijingRelease" [3]; I did a quick test against "Cairo-
Release" [4] and it didn't work for it).

In a normal run, it will open what I call a "pseudo-shell". It isn't really
a shell; each command that we enter is sent independently to the victim server
in a GET or POST request (yes, it works on POST, too) and HTTP response will
be parsed so only the result of the command will be showed (well, there are
some cases where it could fail). The second mode of operation is to create a
PHPShell for you; then you can use it to run arbitrary commands (web-server
must support PHP in this last case).

Please note that in pseudo-shell mode, some characters (like ">") are not
allowed because they are filtered by TWiki code. You can bypass this behaviour
by using some tricks or use the PHP-shell mode, where you don't have any
restriction. For instance, in pseudo-shell mode, this won't work:
"echo hi > /tmp/greetz". But you can use something like:
"echo hi | tee /tmp/greetz", which is quite similar and _do_ work. Another
way to bypass char restrictions is to invoke perl (read exploit code; I've
used this trick to run the command that will create the file containing
PHPShell). There are more ways, only be creative.

I was in the process of adding a third method (a Win32/Unix compatible connect
back shell) but I didn't have time to finish it. I'm still very busy so this
feature will have to wait for some time (it is not easy to bypass some short-
comings in ActivePerl).

Btw, exploit has proxy support (with or without auth), basic HTTP auth and
you can run against HTTP or HTTPS servers. Give it a try! :-)

References:
[1] http://www.rs-labs.com/noticias/the_true_story_of_TWiki_vuln.txt
[2] http://www.rs-labs.com/exploitsntools/tweaky.pl
[3] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003
[4] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004

Regards,
 --Roman

- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQZ5DvuR/in3q1WdCEQIIrQCg4ERhNp4SDwHOAj3k9z9m1n8tYVcAn0D3
o5RLsw/e4c6XgVgGuM99haTa
=ninJ
-----END PGP SIGNATURE-----

Attachment: tweaky.pl
Description: Binary data

Prev by Date: [ GLSA 200411-29 ] unarj: Long filenames buffer overflow and a path traversal vulnerability
Next by Date: Re: SLMail 5.x POP3 Remote Pass Buffer Overflow Exploit
Previous by thread: [ GLSA 200411-29 ] unarj: Long filenames buffer overflow and a path traversal vulnerability
Next by thread: IpbProArace 2.5.x SQL injection.
Index(es):
- Date
- Thread