[Full-disclosure] Advisory SE-2007-01: TikiWiki Remote PHP Code Evaluation Vulnerability

2007-10-2900:00:00

vulners.com

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                      SektionEins GmbH
                     www.sektioneins.de

                  -= Security  Advisory =-


 Advisory: TikiWiki Remote PHP Code Evaluation Vulnerability

Release Date: 2007/10/29
Last Modified: 2007/10/29
Author: Stefan Esser [stefan.esser[at]sektioneins.de]

Application: TikiWiki <= 1.9.8.1
Severity: Remote PHP code execution when TikiWiki's
sheet feature is activated
Risk: Medium
Vendor Status: Vendor has released TikiWiki 1.9.8.2 which fixes this issue
Reference: http://www.sektioneins.de/advisories/SE-2007-01.txt

Overview:

Quote from http://www.tikiwiki.org
"TikiWiki (Tiki) is your Groupware/CMS (Content Management System)
solution. Tiki has the features you need:
* Wikis (like Mediawiki)
* Forums (like phpBB)
* Blogs (like WordPress)
* Articles (like Digg)
* Image Gallery (like Flickr)
* Map Server (like Google Maps)
* Link Directory (like DMOZ)
* Translation and i18n (like Babel Fish)"

TikiWiki 1.9.8.1 fixes a broken white-list check (CVE-2007-5423)
that is supposed to protect against arbitrary PHP code injection
in a call to create_function(). When we analysed the bugfix we
discovered that while the reported bug in the white-list check
is now repaired, it is still possible to execute arbitrary PHP
code by only using the strings allowed in the white-list.

However since TikiWiki 1.9.8.1 the vulnerability can only be
triggered if the 'sheet' feature of TikiWiki is activated in the
configuration.

Details:

TikiWiki's tiki-graph_formula.php creates an anonymous function
with PHP's create_function() to dynamically evaluate a mathematical
function supplied by the user through the 'f' URL parameter.

To protect against arbitrary PHP code execution the TikiWiki
developers have combined a blacklist and white-list approach. On
the one hand they have blacklisted three characters and on the
other hand they only allow certain alphanumerical strings in the
user input.

The three blacklisted characters are

  &#96; - Allows execution of shell commands
  &#39; - String delimiter
  &quot; - String delimiter

The white-list of allowed alphanumerical string does only contain
mathematical function names like: sin, cos, tan, pow, …

When TikiWiki was audited by ShAnKaR he discovered that the
white-list check was incorrectly implemented and it was therefore
possible to execute any PHP function. This vulnerability is known
as CVE-2007-5423 and was fixed with the TikiWiki 1.9.8.1 update.

Unfortunately the repaired white-list does not protect against
arbitrary PHP code execution because PHP supports variable
functions and variable variables.

  $varname = &#39;othervar&#39;;
  $$varname = 4;  // set $othervar to 4

  $funcname = &#39;chr&#39;;
  $funcname&#40;95&#41;;  // call chr&#40;95&#41;

Because TikiWiki's blacklist does not protect against the '$'
character, the injected PHP formulas can use temporary variables
like $sin, $cos, $tan, …

It is therefore obvious that the protection can be bypassed by
filling the temporary variables with strings representing names
of other functions. Because of TikiWiki's black- and white-list
this is a little bit tricky but possible.

First of all it seems hard to get any string at all into one
of our temporary variables because all allowed functions only
return numbers. There are however two PHP features that help:
array to string conversion and handling of unknown constants.

 $sin=cosh;       // cosh is an unknown constant. 
                  // PHP assumes the string &#39;cosh&#39; as value
           
 $sin[]=pi&#40;&#41;;     // Creates an array
 $sin=$sin.$sin;  // Stringconcats of arrays. Array to string 
                  // conversion. Becomes &#39;ArrayArray&#39;

Using these tricks in combination with the ++ Operator that
also allows incrementing alphanumerical strings it is possible
to for example call the chr() function like this.

  $tan=pi&#40;&#41;-pi&#40;&#41;;   // Get 0 into $tan
  $sin=cosh;        // Get the string &#39;cosh&#39; into $sin
  $min=$sin[$tan];  // Get &#39;c&#39; into $min
  $tan++;           // Get 1 into $tan
  $min.=$sin[$tan+$tan+$tan] // Append &#39;h&#39; to &#39;c&#39;
  $min.=$sin[$tan]; // Append &#39;o&#39; to &#39;ch&#39;
  $min++;           // Increment &#39;cho&#39; to &#39;chp&#39;
  $min++;           // Increment &#39;chp&#39; to &#39;chq&#39;
  $min++;           // Increment &#39;chq&#39; to &#39;chr&#39;
  $min&#40;$tan&#41;        // Call chr&#40;1&#41;

With access to the chr() function it is possible to create
all kind of strings and therefore call any other function,
which obviously leads to arbitrary PHP code execution.

Proof of Concept:

SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.

Disclosure Timeline:

October 2007 - Notified [email protected], patch in CVS
October 2007 - TikiWiki developers released TikiWiki 1.9.8.2
October 2007 - TikiWiki developers released TikiWiki 1.9.8.3
October 2007 - Public Disclosure

Recommendation:

It is strongly recommended to upgrade to the latest version of
TikiWiki which also fixes additional vulnerabilities reported by
third parties.

Grab your copy at:

http://info.tikiwiki.org/tiki-index.php?page=Get+Tiki

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2007-5682 to this vulnerability.

GPG-Key:

http://www.sektioneins.de/sektioneins-signature-key.asc

pub 1024D/48A1DB12 2007-10-04 SektionEins GmbH - Signature Key <[email protected]>
Key fingerprint = 4462 A777 4237 E292 F52D 5AFE 7C9C C1AF 48A1 DB12

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHBVlgfJzBr0ih2xIRAoAeAJ9KiJJ3boDsCgqYItUMDh1MOd1djwCdH+OD
9xvWNGsfgDK15OMSHcI4JhI=
=x2Tq
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/