Twiki Perl Code Execution

`This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution.  
  
TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.  
  
* Vulnerable Software Version  
* Attack Vectors  
* Impact  
* Severity Level  
* MITRE Name for this Vulnerability  
* Details  
* Countermeasures  
* Hotfix for TWiki Production Release 6.0.0  
* Hotfix for Older Affected TWiki Releases  
* Verify Hotfix  
* Authors and Credits  
* Action Plan with Timeline  
* External Links  
* Feedback  
  
---++ Vulnerable Software Version  
  
* TWiki-6.0.0 (TWikiRelease06x00x00)  
* TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)  
* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)  
* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)  
* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)  
* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)  
* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)  
  
---++ Attack Vectors  
  
Using an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.  
  
---++ Impact  
  
A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.  
  
---++ Severity Level  
  
The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level:  
  
* Severity 1 issue: The web server can be compromised   
  
---++ MITRE Name for this Vulnerability  
  
The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability.   
  
---++ Details  
  
It is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example:  
  
http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit  
  
The TWiki site is vulnerable if you see a page with text "Vulnerable!".  
  
__Background:__  
  
TWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name:  
<verbatim>  
my $p = $this->{module};  
eval "use $p;";  
</verbatim>  
  
---++ Countermeasures  
  
* Apply hotfix (see patch below).  
* Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]  
  
---++ Hotfix for TWiki Production Release 6.0.0  
  
Apply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.  
  
NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.  
  
Affected file: twiki/lib/TWiki/Plugins.pm  
  
Patch to sanitize the 'debugenableplugins' parameter:  
  
=======( 8>< CUT )===============================================  
--- TWiki/Plugins.pm.save1 2014-01-09 02:10:56.000000000 -0500  
+++ TWiki/Plugins.pm 2014-10-01 20:30:36.000000000 -0400  
@@ -186,8 +186,11 @@  
  
unless( $allDisabled ) {  
if ( $query && defined( $query->param( 'debugenableplugins' ))) {  
- @pluginList = split( /[,\s]+/,  
- $query->param( 'debugenableplugins' ));  
+ @pluginList =  
+ grep { /Plugin$/ }  
+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter  
+ split( /[,\s]+/, $query->param( 'debugenableplugins' ));  
+  
} else {  
if( $TWiki::cfg{PluginsOrder} ) {  
foreach my $plugin( split( /[,\s]+/,  
=======( 8>< CUT )===============================================  
  
---++ Hotfix for Older Affected TWiki Releases  
  
Apply above patch (line numbers may vary).  
  
---++ Verify Hotfix  
  
To verify the patch add the following parameter to any TWiki topic:  
  
?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit  
  
The site is vulnerable if a page is returned with text "Vulnerable!"  
  
---++ Authors and Credits  
  
* Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the [email protected] list  
* PeterThoeny for creating the fix, patch and advisory  
* HideyoImazu for creating the TWiki-6.0.1 production release [2]  
  
---++ Action Plan with Timeline  
  
* 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]  
* 2014-10-01 - developer verifies issue - PeterThoeny  
* 2014-10-01 - developer fixes code - PeterThoeny  
* 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu  
* 2014-10-06 - security team creates advisory with hotfix - PeterThoeny  
* 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny  
* 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny  
* 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny  
  
---++ External Links  
  
[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess  
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01  
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09)  
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList  
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList  
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList  
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org  
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558  
  
---++ Feedback  
  
Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09).  
  
Please send an e-mail to [email protected] if you have any questions before Monday.  
  
-- Peter Thoeny - 2014-10-09  
  
  
--  
> Peter Thoeny - Peter09[at]Thoeny.org  
> http://bit.ly/MrTWiki - consulting on enterprise collaboration  
> http://TWiki.org - is your team already TWiki enabled?  
> Knowledge cannot be managed, it can be discovered and shared  
> This e-mail is: (_) private (_) ask first (x) public  
`