Date: 31 October 2007
References: AA-2007.0085
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0853 -- [Win][UNIX/Linux][OSX]
TikiWiki Remote PHP Code Evaluation Vulnerability
31 October 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: TikiWiki <= 1.9.8.1
Publisher: Stefan Esser [stefan.esser[at]sektioneins.de]
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Cross-site Scripting
Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2007-5684 CVE-2007-5683 CVE-2007-5682
CVE-2007-5423
Ref: AA-2007.0085
Original Bulletin: http://www.sektioneins.de/advisories/SE-2007-01.txt
Comment: A bugfix release version 1.9.8.3 has been released fixing issues
in 1.9.8.2. Please ensure you upgrade to the 1.9.8.3 release
available from
http://info.tikiwiki.org/tiki-index.php?page=Get+Tiki.
Patch 1.9.8.3 also resolves multiple directory traversal
vulnerabilities referenced in CVE-2007-5684, and multiple
cross-site scripting (XSS) vulnerabilities referenced in
CVE-2007-5683.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: TikiWiki Remote PHP Code Evaluation Vulnerability
Release Date: 2007/10/29
Last Modified: 2007/10/29
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: TikiWiki <= 1.9.8.1
Severity: Remote PHP code execution when TikiWiki's
sheet feature is activated
Risk: Medium
Vendor Status: Vendor has released TikiWiki 1.9.8.2 which fixes this issue
Reference: http://www.sektioneins.de/advisories/SE-2007-01.txt
Overview:
Quote from http://www.tikiwiki.org
"TikiWiki (Tiki) is your Groupware/CMS (Content Management System)
solution. Tiki has the features you need:
* Wikis (like Mediawiki)
* Forums (like phpBB)
* Blogs (like WordPress)
* Articles (like Digg)
* Image Gallery (like Flickr)
* Map Server (like Google Maps)
* Link Directory (like DMOZ)
* Translation and i18n (like Babel Fish)"
TikiWiki 1.9.8.1 fixes a broken white-list check (CVE-2007-5423)
that is supposed to protect against arbitrary PHP code injection
in a call to create_function(). When we analysed the bugfix we
discovered that while the reported bug in the white-list check
is now repaired, it is still possible to execute arbitrary PHP
code by only using the strings allowed in the white-list.
However since TikiWiki 1.9.8.1 the vulnerability can only be
triggered if the 'sheet' feature of TikiWiki is activated in the
configuration.
Details:
TikiWiki's tiki-graph_formula.php creates an anonymous function
with PHP's create_function() to dynamically evaluate a mathematical
function supplied by the user through the 'f' URL parameter.
To protect against arbitrary PHP code execution the TikiWiki
developers have combined a blacklist and white-list approach. On
the one hand they have blacklisted three characters and on the
other hand they only allow certain alphanumerical strings in the
user input.
The three blacklisted characters are
` - Allows execution of shell commands
' - String delimiter
" - String delimiter
The white-list of allowed alphanumerical string does only contain
mathematical function names like: sin, cos, tan, pow, ...
When TikiWiki was audited by ShAnKaR he discovered that the
white-list check was incorrectly implemented and it was therefore
possible to execute any PHP function. This vulnerability is known
as CVE-2007-5423 and was fixed with the TikiWiki 1.9.8.1 update.
Unfortunately the repaired white-list does not protect against
arbitrary PHP code execution because PHP supports variable
functions and variable variables.
$varname = 'othervar';
$$varname = 4; // set $othervar to 4
$funcname = 'chr';
$funcname(95); // call chr(95)
Because TikiWiki's blacklist does not protect against the '$'
character, the injected PHP formulas can use temporary variables
like $sin, $cos, $tan, ...
It is therefore obvious that the protection can be bypassed by
filling the temporary variables with strings representing names
of other functions. Because of TikiWiki's black- and white-list
this is a little bit tricky but possible.
First of all it seems hard to get any string at all into one
of our temporary variables because all allowed functions only
return numbers. There are however two PHP features that help:
array to string conversion and handling of unknown constants.
$sin=cosh; // cosh is an unknown constant.
// PHP assumes the string 'cosh' as value
$sin[]=pi(); // Creates an array
$sin=$sin.$sin; // Stringconcats of arrays. Array to string
// conversion. Becomes 'ArrayArray'
Using these tricks in combination with the ++ Operator that
also allows incrementing alphanumerical strings it is possible
to for example call the chr() function like this.
$tan=pi()-pi(); // Get 0 into $tan
$sin=cosh; // Get the string 'cosh' into $sin
$min=$sin[$tan]; // Get 'c' into $min
$tan++; // Get 1 into $tan
$min.=$sin[$tan+$tan+$tan] // Append 'h' to 'c'
$min.=$sin[$tan]; // Append 'o' to 'ch'
$min++; // Increment 'cho' to 'chp'
$min++; // Increment 'chp' to 'chq'
$min++; // Increment 'chq' to 'chr'
$min($tan) // Call chr(1)
With access to the chr() function it is possible to create
all kind of strings and therefore call any other function,
which obviously leads to arbitrary PHP code execution.
Proof of Concept:
SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.
Disclosure Timeline:
14. October 2007 - Notified security@tikiwiki.org, patch in CVS
25. October 2007 - TikiWiki developers released TikiWiki 1.9.8.2
26. October 2007 - TikiWiki developers released TikiWiki 1.9.8.3
29. October 2007 - Public Disclosure
Recommendation:
It is strongly recommended to upgrade to the latest version of
TikiWiki which also fixes additional vulnerabilities reported by
third parties.
Grab your copy at:
http://info.tikiwiki.org/tiki-index.php?page=Get+Tiki
CVE Information:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2007-5682 to this vulnerability.
GPG-Key:
http://www.sektioneins.de/sektioneins-signature-key.asc
pub 1024D/48A1DB12 2007-10-04 SektionEins GmbH - Signature Key <info@sektioneins.de>
Key fingerprint = 4462 A777 4237 E292 F52D 5AFE 7C9C C1AF 48A1 DB12
Copyright 2007 SektionEins GmbH. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHBVlgfJzBr0ih2xIRAoAeAJ9KiJJ3boDsCgqYItUMDh1MOd1djwCdH+OD
9xvWNGsfgDK15OMSHcI4JhI=
=x2Tq
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRygFKyh9+71yA2DNAQK/5AP9G4cXqAE99iywtihxy107WhFoLnLc9gB1
dvaqjHt+y2l5pEfF4GA9DFwna/FBg5FOM+OUAmlivtgk2CgAIKVEUXJHCToOrzKu
pp98mtIvDGS4CFPIRz++O4zH2kiWM3ly8HpMfFgndFXLXJdvZDCCwv3EDgPpfcku
qUTWL2QdmCI=
=Ho1T
-----END PGP SIGNATURE-----
|