 |
|
You are here: Foswiki>Support Web>SecurityAlert-CVE-2012-6329 (19 Feb 2013, GeorgeClark)Edit Attach
plain text
Security Alert: Code injection vulnerability in MAKETEXT macro
Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists {UserInterfaceInternationalization} is enabled in the configuration. Because of this vulnerability it may be possible for a user to run arbitrary shell commands and code on the server through a crafted %MAKETEXT% macro. If your wiki allows commenting by users without first logging in, then it may be possible for such an anonymous user to exploit this vulnerability.
*Note: The fix for this advisory is incomplete. See also Support.SecurityAlert-CVE-2013-1666.
Severity Level
Severity 1 issue: The web server can be compromised The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcessMITRE Name for this Vulnerability
The Common Vulnerabilities and Exposures project has assigned the name CVE-2012-6329 to this vulnerability.Vulnerable Software Versions
- Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6
Attack Vectors
Editing wiki pages and HTTP POST requests towards a Foswiki server with enabled localization (typically port 80/TCP). Typically, prior authentication is necessary. A crafted %MAKETEXT{}% macro will pass through strings to Locale::Maketext where they are executed under the control of the CGI user on the server. Any user with the authority to edit a topic, comment on a topic, or execute the Foswiki rendering code (eg. The RenderPlugin) can take advantage of the vulnerability. Note that the report against Locale::Maketext also identified another vector, where a module name can be passed in to Maketext through the bracket notation. Foswiki is not vulnerable to this vector, as it does not permit that syntax to be used.Impact
Arbitrary code execution on the server can expose the file system. A second less severe Denial of Service vulnerability ( SecurityAlert-CVE-2012-6330) is also addressed by this alert.Details
A crafted %MAKETEXT{}% macro can cause multiple issues:- Execute arbitrary code on the server by passing unsanitized strings to Locale::Maketext. (CVE-2012-6329)
- Consume memory and swap space resulting in potential lockup or crash due to %<nop>MAKETEXT{}% not validating the parameter numbers supplied in the
[_nnn]tokens. (CVE-2012-6330) - Cause an exception within Foswiki, also due to invalid parameters in
[_nnn]tokens
Countermeasures
One of the following should be done as soon as possible.- Manually Apply hotfix (see patch below). or
- Apply the http://foswiki.org/Extensions/PatchItem12285Contrib to your Foswiki 1.1.x system (Does not apply to Foswiki 1.0.x) or
- Disable
{UserInerfaceInternationalization}in your LocalSite.cfg (Does not protect against SecurityAlert-CVE-2012-6330) or - The foswiki debian package has already been updated with the hotfix - use your preferred package management tool to update to foswiki 1.1.6-2
%MAKETEXT% macro beyond the code execution issue. Even if the new Locale::Maketext is installed, it is strongly recommended to apply the Foswiki patch.
Hotfix for Foswiki Release 1.1.0 - 1.1.6
Install Extensions.PatchItem12285Contrib, and verify that the patch has been applied to lib/Foswiki/Macros/MAKETEXT.pm. The extension will attempt to apply two patches, and should report that 1 file was patched. Only one of the patches will match your system. This patch fixes both SecurityAlert-CVE-2012-6329 and SecurityAlert-CVE-2012-6330.Running Post-install exit for PatchItem12285Contrib... Processing /var/www/data/Foswiki-1.1.1/working/configure/patch/Item12285-001.patch ... MD5 Matched - applying patch version Foswiki 1.1.0 - 1.1.2. Update successful for /var/www/data/Foswiki-1.1.0/lib/Foswiki/Macros/MAKETEXT.pm . 1 file patched ... Processing /var/www/data/Foswiki-1.1.1/working/configure/patch/Item12285-002.patch ... No files matched patch signaturesOn a properly patched system,
%MAKETEXT{" [_101] "}% should return an error. Excessive parameter number 101, MAKETEXT rejected.
Note that this Contrib will also install the PatchFoswikiContrib as a prerequisite. PatchFoswikiContrib patches the Extensions installer to accept the new style version strings used for modules released as of 1.1.6.
Hotfix for Foswiki Archived Release 1.0.0-1.0.10
This patch fixes both SecurityAlert-CVE-2012-6329 and SecurityAlert-CVE-2012-6330. This release should be manually patched. InFoswiki.pm, in the sub MAKETEXT
--- Foswiki.pm 2010-01-17 09:16:20.000000000 -0500
+++ Foswiki.pm.new 2012-12-10 10:06:37.389129654 -0500
@@ -4200,6 +4200,9 @@
$str =~
s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+ return "Illegal parameter number" if ($max > 100);
+ $str =~ s#\\#\\\\#g;
+
# get the args to be interpolated.
my $argsStr = $params->{args} || "";
Manual patch for Foswiki Release 1.1.0 -> 1.1.2
Installing the PatchItem12285Contrib is the best way to patch your system - you can however see the patch we apply here. This patch fixes both SecurityAlert-CVE-2012-6329 and SecurityAlert-CVE-2012-6330:
~~~PATCH 72c86f0c71519caf6d26efbe174739f6 lib/Foswiki/Macros/MAKETEXT.pm (Foswiki 1.1.0 - 1.1.2)
--- /home/gac/Foswiki/Foswiki-1.1.0/lib/Foswiki/Macros/MAKETEXT.pm 2010-10-04 11:26:34.000000000 -0400
+++ lib/Foswiki/Macros/MAKETEXT.pm 2012-12-11 11:26:04.034507184 -0500
@@ -4,9 +4,19 @@
use strict;
use warnings;
+use Locale::Maketext;
+my $escape =
+ ( $Foswiki::cfg{UserInterfaceInternationalisation}
+ && $Locale::Maketext::VERSION
+ && $Locale::Maketext::VERSION < 1.23 );
+
sub MAKETEXT {
my ( $this, $params ) = @_;
+ my $max;
+ my $min;
+ my $param_error;
+
my $str = $params->{_DEFAULT} || $params->{string} || "";
return "" unless $str;
@@ -18,15 +28,22 @@
$str =~ s/~~\[/~[/g;
$str =~ s/~~\]/~]/g;
+ $max = 0;
+ $min = 1;
+ $param_error = 0;
+
# unescape parameters and calculate highest parameter number:
- my $max = 0;
- $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+ $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min, $param_error)/ge;
$str =~
-s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error)/ge;
+ return $str if ($param_error);
# get the args to be interpolated.
my $argsStr = $params->{args} || "";
+ # Escape any escapes.
+ $str =~ s#\\#\\\\#g if ($escape); # escape any escapes
+
my @args = split( /\s*,\s*/, $argsStr );
# fill omitted args with zeros
@@ -47,6 +64,26 @@
return $result;
}
+sub _validate {
+
+ #my ( $contents, $number, $max, $min, $param_error ) = @_
+
+ $_[2] = $_[1] if ( $_[1] > $_[2] ); # Record maximum param number
+ $_[3] = $_[1] if ( $_[1] < $_[3] ); # Record minimum param number
+
+ if ( $_[1] > 100 ) {
+ $_[4] = 1; # Set error flag
+ return
+"<span class=\"foswikiAlert\">Excessive parameter number $_[2], MAKETEXT rejected.</span>";
+ }
+ if ( $_[1] < 1 ) {
+ $_[4] = 1; # Set error flag
+ return
+"<span class=\"foswikiAlert\">Invalid parameter <code>\"$_[0]\"</code>, MAKETEXT rejected.</span>";
+ }
+ return "[$_[0]]"; # Return the complete bracket parameter without escapes
+}
+
1;
__END__
Foswiki - The Free and Open Source Wiki, http://foswiki.org/
Manual patch for Foswiki Release 1.1.3 -> 1.1.6
Installing the PatchItem12285Contrib is the best way to patch your system - you can however see the patch we apply here This patch fixes both SecurityAlert-CVE-2012-6329 and SecurityAlert-CVE-2012-6330:
~~~PATCH 160f04fc478c5f9b81d2ef6c9e614074 lib/Foswiki/Macros/MAKETEXT.pm (Foswiki 1.1.3 - Foswiki 1.1.6)
--- lib/Foswiki/Macros/MAKETEXT.pm 2012-12-11 10:51:12.959268829 -0500
+++ lib/Foswiki/Macros/MAKETEXT.pm.new 2012-12-11 10:37:31.674486503 -0500
@@ -4,9 +4,19 @@
use strict;
use warnings;
+use Locale::Maketext;
+my $escape =
+ ( $Foswiki::cfg{UserInterfaceInternationalisation}
+ && $Locale::Maketext::VERSION
+ && $Locale::Maketext::VERSION < 1.23 );
+
sub MAKETEXT {
my ( $this, $params ) = @_;
+ my $max;
+ my $min;
+ my $param_error;
+
my $str = $params->{_DEFAULT} || $params->{string} || "";
return "" unless $str;
@@ -18,15 +28,22 @@
$str =~ s/~~\[/~[/g;
$str =~ s/~~\]/~]/g;
+ $max = 0;
+ $min = 1;
+ $param_error = 0;
+
# unescape parameters and calculate highest parameter number:
- my $max = 0;
- $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+ $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min, $param_error)/ge;
$str =~
-s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error)/ge;
+ return $str if ($param_error);
# get the args to be interpolated.
my $argsStr = $params->{args} || "";
+ # Escape any escapes.
+ $str =~ s#\\#\\\\#g if ($escape); # escape any escapes
+
my @args = split( /\s*,\s*/, $argsStr );
# fill omitted args with empty strings
@@ -47,6 +64,26 @@
return $result;
}
+sub _validate {
+
+ #my ( $contents, $number, $max, $min, $param_error ) = @_
+
+ $_[2] = $_[1] if ( $_[1] > $_[2] ); # Record maximum param number
+ $_[3] = $_[1] if ( $_[1] < $_[3] ); # Record minimum param number
+
+ if ( $_[1] > 100 ) {
+ $_[4] = 1; # Set error flag
+ return
+"<span class=\"foswikiAlert\">Excessive parameter number $_[2], MAKETEXT rejected.</span>";
+ }
+ if ( $_[1] < 1 ) {
+ $_[4] = 1; # Set error flag
+ return
+"<span class=\"foswikiAlert\">Invalid parameter <code>\"$_[0]\"</code>, MAKETEXT rejected.</span>";
+ }
+ return "[$_[0]]"; # Return the complete bracket parameter without escapes
+}
+
1;
__END__
Foswiki - The Free and Open Source Wiki, http://foswiki.org/
Action Plan with Timeline
- 2012-12-05 - The Locale::Maketext vulnerability was discussed on the Perl5Porters email list, triggered review of Foswiki code.
- 2012-12-05 - Patched version (1.23) of Locale::Maketext is released.
- 2012-12-08 - The [_999999] DoS issue identified and sent to foswiki security list.
- 2012-12-09 - The "remote execution" vulnerability in Locale::Maketext was confirmed on Foswiki.
- 2012-12-09 - Requested the CVE from cve-assign@mitre.org.
- 2012-12-09 - TWiki notified of the Vulnerability.
- 2012-12-10 - Developer fixes code (George Clark) and security team validates the fixes.
- 2012-12-10 - PatchItem12285Contrib released for Foswiki 1.1.x
- 2012-12-10 - Security team creates advisory with hotfix. Announcement delayed for coordination with TWiki (George Clark)
- 2012-12-12 - Updated Debian packages released (Sven Dowideit)
- 2012-12-12 - Send alert to foswiki-announce and foswiki-discuss mailing lists ( )
- 2012-12-14 - Publish advisory in Support web and update all related topics ( )
- 2012-12-14 - Reference to public advisory on Download page and Known Issues ( )
- 2012-xx-xx - Release Manager builds patch release ( )
- 2012-xx-xx - Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) ( )
- Set ALLOWTOPICCHANGE = SecurityGroup
Edit | Attach | Print version | History: r12 < r11 < r10 < r9 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r12 - 19 Feb 2013, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy