SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: TikiWiki Remote PHP Code Evaluation Vulnerability Release Date: 2007/10/29 Last Modified: 2007/10/29 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: TikiWiki <= 220.127.116.11 Severity: Remote PHP code execution when TikiWiki's sheet feature is activated Risk: Medium Vendor Status: Vendor has released TikiWiki 18.104.22.168 which fixes this issue Reference: http://www.sektioneins.de/advisories/advisory-012007-tikiwiki-remote-php-code-evaluation-vulnerability.html Overview: Quote from http://www.tikiwiki.org "TikiWiki (Tiki) is your Groupware/CMS (Content Management System) solution. Tiki has the features you need: * Wikis (like Mediawiki) * Forums (like phpBB) * Blogs (like WordPress) * Articles (like Digg) * Image Gallery (like Flickr) * Map Server (like Google Maps) * Link Directory (like DMOZ) * Translation and i18n (like Babel Fish)" TikiWiki 22.214.171.124 fixes a broken white-list check (CVE-2007-5423) that is supposed to protect against arbitrary PHP code injection in a call to create_function(). When we analysed the bugfix we discovered that while the reported bug in the white-list check is now repaired, it is still possible to execute arbitrary PHP code by only using the strings allowed in the white-list. However since TikiWiki 126.96.36.199 the vulnerability can only be triggered if the 'sheet' feature of TikiWiki is activated in the configuration. Details: TikiWiki's tiki-graph_formula.php creates an anonymous function with PHP's create_function() to dynamically evaluate a mathematical function supplied by the user through the 'f' URL parameter. To protect against arbitrary PHP code execution the TikiWiki developers have combined a blacklist and white-list approach. On the one hand they have blacklisted three characters and on the other hand they only allow certain alphanumerical strings in the user input. The three blacklisted characters are ` - Allows execution of shell commands ' - String delimiter " - String delimiter The white-list of allowed alphanumerical string does only contain mathematical function names like: sin, cos, tan, pow, ... When TikiWiki was audited by ShAnKaR he discovered that the white-list check was incorrectly implemented and it was therefore possible to execute any PHP function. This vulnerability is known as CVE-2007-5423 and was fixed with the TikiWiki 188.8.131.52 update. Unfortunately the repaired white-list does not protect against arbitrary PHP code execution because PHP supports variable functions and variable variables. $varname = 'othervar'; $$varname = 4; // set $othervar to 4 $funcname = 'chr'; $funcname(95); // call chr(95) Because TikiWiki's blacklist does not protect against the '$' character, the injected PHP formulas can use temporary variables like $sin, $cos, $tan, ... It is therefore obvious that the protection can be bypassed by filling the temporary variables with strings representing names of other functions. Because of TikiWiki's black- and white-list this is a little bit tricky but possible. First of all it seems hard to get any string at all into one of our temporary variables because all allowed functions only return numbers. There are however two PHP features that help: array to string conversion and handling of unknown constants. $sin=cosh; // cosh is an unknown constant. // PHP assumes the string 'cosh' as value $sin=pi(); // Creates an array $sin=$sin.$sin; // Stringconcats of arrays. Array to string // conversion. Becomes 'ArrayArray' Using these tricks in combination with the ++ Operator that also allows incrementing alphanumerical strings it is possible to for example call the chr() function like this. $tan=pi()-pi(); // Get 0 into $tan $sin=cosh; // Get the string 'cosh' into $sin $min=$sin[$tan]; // Get 'c' into $min $tan++; // Get 1 into $tan $min.=$sin[$tan+$tan+$tan] // Append 'h' to 'c' $min.=$sin[$tan]; // Append 'o' to 'ch' $min++; // Increment 'cho' to 'chp' $min++; // Increment 'chp' to 'chq' $min++; // Increment 'chq' to 'chr' $min($tan) // Call chr(1) With access to the chr() function it is possible to create all kind of strings and therefore call any other function, which obviously leads to arbitrary PHP code execution. Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 14. October 2007 - Notified email@example.com, patch in CVS 25. October 2007 - TikiWiki developers released TikiWiki 184.108.40.206 26. October 2007 - TikiWiki developers released TikiWiki 220.127.116.11 29. October 2007 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the latest version of TikiWiki which also fixes additional vulnerabilities reported by third parties. Grab your copy at: http://info.tikiwiki.org/tiki-index.php?page=Get+Tiki CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5682 to this vulnerability. GPG-Key: http://www.sektioneins.de/sektioneins-signature-key.asc pub 1024D/48A1DB12 2007-10-04 SektionEins GmbH - Signature Key Key fingerprint = 4462 A777 4237 E292 F52D 5AFE 7C9C C1AF 48A1 DB12 Copyright 2007 SektionEins GmbH. All rights reserved.