[<prev] [next>] [day] [month] [year] [list]
Message-ID: <eo9ip0loq7qm3p0h5432qdq76fbffkrk3h@4ax.com>
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Subject: The true story of TWiki vuln (exploit included)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ In response to:
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0022.html ]
Dear Hans,
It is not a commendable action to make people believe that you found a
vulnerability which you really have not discovered. I don't know if
you did it on purpose. I prefer to believe you didn't but it is
reasonable to think that publishing it without *clearly* stating its
procedence could lead people to misunderstanding. This thought may be
easily strengthen by the fact that you forced an "uncoordinated
emergency disclosure" (as read in your advisory) just when I was
coordinating my own advisory with Peter Thoeny (main developer and
author of TWiki). Exposed facts caused me a sense of indignation so I
started to investigate the issue. Before writing this public response,
I talked to many different people/sources and different point of views
and mails were exchanged. Things got complicated by the fact that you
seem to belong to a well-known and reputable security organization
(whose name I won't disclose here to avoid any suspicion and to show
my respect to it) and your action was (or at least seemed to be)
unethical, as recognized by some of the more representative members of
your (presumible) organization.
To summarize the results and have some semi-impartial view, I have
attached a mail from Peter where he publicly explains the timeline
followed in the disclosure (judge by yourself). He also drops some
personal thoughts which I don't necessarily share. Btw, mine are:
1) Peter didn't know how to coordinate the issue or at least he was
not fast enough.
2) Hans rushed the publication of the advisory and masked it, perhaps
in the mood for fame (last comment is subjective).
3) As result of 1+2, Hans and me couldn't meet before all this mess,
which would have been avoided almost for sure.
I have been accused to have hidden my discovery during aprox. two
months with presumibly obscure purposes. Well, it is true that I knew
about the discussed issues for that time, but my reasons have been
completely disrupted. *I don't have anything to hide*. I'm an
independant researcher and I like researching vulnerabilities only for
fun. I also like to spend my time and enjoy my spare time without any
hurry. Apart from this, believe it or not, but I have been very busy
during past months. For instance, in past two months I got married
with a lovely girl, went to honey-moon... Don't want to know all the
details, eh? :-) Strictly speaking about computers, I'm also involved
in other projects and to be honest, TWiki was/is not prioritary to me
(I was looking for a WikiWiki software to use; when I accidentally
discovered the backsticks bug, I fastly switched to consider other
similar software like Phpwiki).
I consider myself as a pro full-disclosure man and I like to publish
my works. But Peter, don't go wrong by blaming me of the hack of two
machines due to my delayed disclosure: *full disclosure is a
privilege, not a right for any developer*. Full-disclosers often
invest their time in helping community to enhace the security of many
applications and/or fixing bugs _the developers commit_.
Something similar applies to you, Hans: running a 2.4.20 kernel is not
precisely what I'd call a good job for a responsible and/or
security-conscious sys-admin...
It's funny to read Peter's statement:
"The vulnerability was known to Roman for 2 month, but he did
not inform the TWiki developers. _Damage on two sites could have
been prevented._".
Apart from my personal reasons (which I already explained), it's easy
to refute and rewrite your paragraph:
"TWiki developers wrote buggy code. _Damage on two sites could have
been prevented if they had known basic principles about security".
Haven't you think about that possibility? Sorry, guys but once again,
judge for yourself ;-)
Moreover, I've just received a phone call some minutes ago stating
that TWiki vulnerability was known for at least 1 year!! Woo!! If that
is true, it would mean that other people independently discovered the
same vulnerability before me, fact which doesn't surprise me, taking
into account the silly and simple nature of the bug. Anybody could
have discover it. I'm not particularly proud of my research in TWiki,
it doesn't require very high skills. Not at all, indeed. But one of
the things that sicken me is people getting credits that they don't
deserve. That's the main reason of this post.
Having said that, and for the rest of people who doesn't know what's
this story about, forget it and enjoy the attached exploit. It's beta
but it works (against TWiki "BeijingRelease" [1]; I did a quick test
against "CairoRelease" [2] and it doesn't work for it). Proxy and HTTP
auth is supported. Win32/Unix compatible. And please remember: use at
your own risk.
Finally, I'd like to clearly state that I take no responsibility of
any hacked machine due to this bug being exploited, in the past,
present or future. I don't approve/support the hack of any machine,
including machines belonging to certain referred organization and/or
administered by Hans Ulrich. I like researching and writing exploits
for fun. But attacking machines... simply it's not my style.
That's all I have to say about this issue. I won't enter any flame war
and I will not respond to any post regarding this matter, either.
PS: References:
[1] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003.
[2] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004
Cheers,
--Roman
- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBQZkZQuR/in3q1WdCEQJpXQCfeU4HGgs/9U1MN7HmxXmNiLLAvpIAoOL+
IrrG3iWJVPlYl5xtpUmL/EOF
=vAnB
-----END PGP SIGNATURE-----
Saludos,
--Roman
--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-------------- next part --------------
Date: Sun, 14 Nov 2004 17:11:30 -0800
From: Peter Thoeny <peter.thoeny@...global.net>
To: Hans Ulrich Niedermann <hun@...ue.de>
Cc: Roman Medina-Heigl Hernandez <roman@...labs.com>, public@...e
Subject: Re: Lame TWiki advisory
All:
I am not participating in flame wars. I am just pointing
out the facts. I do not care who discovered it first, my
highest priority is that public TWikis are safe and secured
before crackers can take advantage of vulnerabilities.
1. At TWiki.org we have a process defined of how to handle
security issues. It is clearly marked in the BugReport page,
http://TWiki.org/cgi-bin/view/Codev/BugReport :
"Important: In case you think that you discovered a security
issue that could potentially compromise public TWiki
installations, please contact one of the CoreTeam members
by e-mail. We will follow up in a timely manner with a fix
and will inform administrators before the issue gets public."
2. Roman contacted me on Thursday that he discovered a
vulnerability and that he wants to prepare a security
advisory. I replied on the same day with recommended actions
based on our process.
3. Friday morning: Andreas Thienemann, Benjamin Schweizer inform
me on of the vulnerability. At that time we did not know what
caused it. Andreas and I exchanged some e-mail to narrow down the
issue. Andreas forwarded me the log entries of a hacked server.
Based on this I could verify and identify the vulnerability.
4. I create a quick fix, fixed TWiki.org, created a quick advisory
and informed the TWiki community via twiki-dev mailing list. I
also sent the quick fix to Andreas and Benjamin. Then I went to
work.
6. While I was at work, without access to home e-mail:
- Roman sent an e-mail with a search example demonstrating the
vulnerability.
- Hans Ulrich sent me two drafts of an advisory.
5. Friday afternoon: I returned home early because of the issue
and read the e-mails. I made a more robust fix, compiled the
e-mail addresses of several hundred TWiki admins and sent out
the advisory based on Hans Ulrich's version, with some mods.
6. I forwarded the revised advisory to Hans Ulrich, but he already
released it to the public.
Overall the issue got handled in a timely manner once I got to
know about the vulnarability. However these things did not work
well:
- I did not get Hans Ulrich and Roman in touch quickly enough
on Friday.
- The advisory went out uncoordinated, bypassing a grace period
for TWiki admins to fix the hole. (I know that the vulnerability
was already known by hackers, but only by a few. Once an advisory
is made available publicly the whole world knows). _This is not
in line with our published process and possibly compromises other
public TWiki sites._
- The vulnerability was known to Roman for 2 month, but he did
not inform the TWiki developers. _Damage on two sites could have
been prevented._
Regards,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tweaky.pl
Type: application/octet-stream
Size: 6620 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041115/70ade298/tweaky.obj
Powered by blists - more mailing lists