-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Bugtraqers, I discovered the recently published vulnerability in TWiki (read more about it on [1]) and coded a simple working exploit some time ago. It is attached here or you can download it from [2]. The exploit is written in Perl and has been tested on both Linux and Win32. Run with no arguments to see supported options. It's beta but it works (against TWiki "BeijingRelease" [3]; I did a quick test against "Cairo- Release" [4] and it didn't work for it). In a normal run, it will open what I call a "pseudo-shell". It isn't really a shell; each command that we enter is sent independently to the victim server in a GET or POST request (yes, it works on POST, too) and HTTP response will be parsed so only the result of the command will be showed (well, there are some cases where it could fail). The second mode of operation is to create a PHPShell for you; then you can use it to run arbitrary commands (web-server must support PHP in this last case). Please note that in pseudo-shell mode, some characters (like ">") are not allowed because they are filtered by TWiki code. You can bypass this behaviour by using some tricks or use the PHP-shell mode, where you don't have any restriction. For instance, in pseudo-shell mode, this won't work: "echo hi > /tmp/greetz". But you can use something like: "echo hi | tee /tmp/greetz", which is quite similar and _do_ work. Another way to bypass char restrictions is to invoke perl (read exploit code; I've used this trick to run the command that will create the file containing PHPShell). There are more ways, only be creative. I was in the process of adding a third method (a Win32/Unix compatible connect back shell) but I didn't have time to finish it. I'm still very busy so this feature will have to wait for some time (it is not easy to bypass some short- comings in ActivePerl). Btw, exploit has proxy support (with or without auth), basic HTTP auth and you can run against HTTP or HTTPS servers. Give it a try! :-) References: [1] http://www.rs-labs.com/noticias/the_true_story_of_TWiki_vuln.txt [2] http://www.rs-labs.com/exploitsntools/tweaky.pl [3] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003 [4] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004 Regards, --Roman - -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBQZ5DvuR/in3q1WdCEQIIrQCg4ERhNp4SDwHOAj3k9z9m1n8tYVcAn0D3 o5RLsw/e4c6XgVgGuM99haTa =ninJ -----END PGP SIGNATURE-----
Attachment:
tweaky.pl
Description: Binary data