TWiki /bin/configure脚本文件泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115929 漏洞类型 路径遍历
发布时间 2008-08-19 更新时间 2008-09-18
CVE编号 CVE-2008-3195 CNNVD-ID CNNVD-200809-236
漏洞平台 CGI CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/6269
https://www.securityfocus.com/bid/84901
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-236
|漏洞详情
TWiki是一款灵活易用、功能强大的企业协作平台和知识管理系统。TWiki软件没有正确地验证某些URL输入,如果访问了包含有TWiki配置脚本的URL的话,攻击者就可以读取任意文件。以下是/bin/configure脚本中的有漏洞代码:if($actioneq'image'){#SMELL:thiscalliscorrect,butcausesaperlerror#onsomeversionsofCGI.pm#print$query->header(-type=>$query->param('type'));#Sousethisinstead:print'Content-type:'.$query->param('type')."\n\n";if(open(F,'logos/'.$query->param('image'))){local$/=undef;print;(F);}exit0;}漏洞位于open()函数中。用户可以设置$query->param('type'),因此可以设置为text/plain。如果将image变量设置为文件路径的话,就可以查看该文件。
|漏洞EXP
################################################################################################################
#                                                                                                              #
#                                 TWiki 4.2.0 File Disclosure Vuln (configure)                                 #
#                                                                                                              #
################################################################################################################

	"We're brazilian newbies!!! :p" - Th1nk3r

Info
----------------------------------------------------------------------------------------------------------------
Classe    :  Input Validation Error 
Remote    :  Yes
Local     :  No
Date      :  05/08/2008
Credits   :  Th1nk3r  (cnwfhguohrugbo / gmail.com)
Greetz    :  w4n73d h4ck3r, Vitor, Vonnatur, FuradordeSyS, B470-Killer, M4v3rick.

Description
----------------------------------------------------------------------------------------------------------------
	TWiki version 4.2.0 (I haven't tested other versions) is vulnerable to a File Disclosure. It's only possible
to exploit the bug if you can access the "/bin/configure" script.
Otherwise, you can not exploit this bug.
	Vulnerable code of "/bin/configure" script:

	if( $action eq 'image' ) {
    		# SMELL: this call is correct, but causes a perl error
    		# on some versions of CGI.pm
    		# print $query->header(-type => $query->param('type'));
    		# So use this instead:
    		print 'Content-type: '.$query->param('type')."\n\n";
    	if( open(F, 'logos/'.$query->param('image' ))) {
        	local $/ = undef;
        	print <F>;
        	close(F);
    	}
    	exit 0;
}

	The bug is in the open() function. The file is set by visitor, and there is no protection added
by the programmer.
	Note that "$query->param('type')" can be set by the visitor. Therefore, you'll set it to "text/plain".



Exploit
----------------------------------------------------------------------------------------------------------------

	To exploit the bug, you just need set the "image" variable to the path of file you wish to view. 
	The file will be revealed if you have permission to view it.
	
	By example, to show the "/etc/passwd" file content, go to :
	http://www.examplo.org/{PATH}/bin/configure?action=image;image=../../../../../../etc/passwd;type=text/plain



Solution
----------------------------------------------------------------------------------------------------------------
	Read "http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide", Basic Installation, topic 8, for 
more information of how to protect your "configure" script.

# milw0rm.com [2008-08-19]
|受影响的产品
TWiki TWiki 4.2.2 TWiki TWiki 4.2.1 TWiki TWiki 4.2 TWiki TWiki 4.1.2 TWiki TWiki 4.1.1 TWiki TWiki 4.1 TWiki TWiki 4.0.5 TWiki TWiki 4.
|参考资料

来源:US-CERT
名称:VU#362012
链接:http://www.kb.cert.org/vuls/id/362012
来源:CONFIRM
名称:http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x03#4_2_3_Bugfix_Highlights
链接:http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x03#4_2_3_Bugfix_Highlights
来源:twiki.org
链接:http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-3195
来源:XF
名称:twiki-configure-image-command-execution(45183)
链接:http://xforce.iss.net/xforce/xfdb/45183
来源:XF
名称:twiki-configure-directory-traversal(45182)
链接:http://xforce.iss.net/xforce/xfdb/45182
来源:MILW0RM
名称:6269
链接:http://www.milw0rm.com/exploits/6269
来源:www.kb.cert.org
链接:http://www.kb.cert.org/vuls/id/RGII-7JEQ7L
来源:VUPEN
名称:ADV-2008-2586
链接:http://www.frsirt.com/english/advisories/2008/2586
来源:SREASON
名称:4265
链接:http://securityreason.com/securityalert/4265
来源:SECUNIA
名称:31964
链接:http://secunia.com/advisories/31964
来源:SECUNIA
名称:31849
链接:http://secunia.com/advisories/31849