lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4DABA12D.8000002@parit.ca>
Date: Sun, 17 Apr 2011 21:25:49 -0500
From: Mark Jenkins <mark@...it.ca>
To: full-disclosure@...ts.grok.org.uk
Subject: Plone CVE-2011-0720 details

This is in regards to CVE-2011-0720, a Plone vulnerability announced in 
early February.
http://plone.org/products/plone/security/advisories/cve-2011-0720

As noted on
http://www.securityfocus.com/bid/46102/exploit
"An attacker can exploit this issue using a browser."

To fill in a few more details:

Plone is implemented with Zope -- an object oriented system web 
application framework. Many Zope objects can be referenced by url of a 
file system like hierarchy formed by object names. Methods of such 
objects are thus addressable as 
/path_to_parent_object/path_to_object/name_of_method . Arguments as 
listed in these function definitions co-respond to field names as per 
standard URL encoding (http://en.wikipedia.org/wiki/Percent-encoding.

Object paths consist of object names and are not necessarily related by 
type. To search by object type, use the find feature in the Zope 
Management Interface.

I studied the released hotfix and documented co-responding patches in 
the subversion repositories that were slated to go into Plone 4.0.4 . 
(easier than reading the hotfix)
http://dl.dropbox.com/u/16487130/plone_4.0.4_security_patches.txt

Used the Zope Management Interface find feature in my own test 
deployment of Plone 4.0.3 to find objects of the affected types.

Searching for type "Pluggable Auth Service" (PAS) as patched by
http://dev.plone.org/collective/changeset/232213
was most fruitful. On default Plone installations a PAS can be found in 
/acl_users/ for each installed site.

The exposed getUsers and userSetPassword methods are a fairly dangerous 
combination that can be exploited by anonymous attackers. Other 
functions are of more limited value or require stronger permissions.

These methods are also listed in the log checker
http://plone.org/products/plone-hotfix/releases/CVE-2011-0720/logchecker.py
but with the /acl_users/ part absent.

--- End Details ---


On the matter of disclosure gap and necessary capabilities:

I spent around 16 waking hours and 26 clock hours to go from having seen 
the original vulnerability announcement to exploiting. This is in my 
guess a high upper bound for the capabilities required to go from "vuln" 
to "sploit".

I had only user-level prior familiarity with Plone and no prior 
familiarity with Zope.

To test if someone else could reasonably translate these public 
vulnerability details into an exploit, I presented the basic knowledge 
of Zope URL based invocation and how I found /acl_users/, and pointed to 
the above relevant patch over the course of 2 hours at a 
competition/talk on March 19th. Another individual was able to identify 
the appropriate function name and arguments with an additional hour, 
escalated to an administrator account, and vandalized a test site 
running for the occasion.
http://www.skullspace.ca/blog/2011/03/hackathon-4-was-a-huge-success/

I regret that a recording was not made despite best efforts and that my 
slides are of such limited detail to not warrant publication.
(this email has way more useful information)

Though both myself and the other individual have programming 
backgrounds, I guess that a moderately determined individual without 
such capabilities could also close the disclosure gap.

The crucial step of finding /acl_users/ with the find feature in ZMI is 
an interactive, "play and use", kind of step. Finding the relevant 
function name is a matter of reading. The direct relationship between 
the method names and argument names with the URLs is spelled out in 
multiple Zope tutorials.

Correct me if I'm wrong, but I believe this post is the first public 
comment to go beyond the patches, hotfix, and logchecker released by the 
Plone foundation.


Mark Jenkins

p.s.

In the end, not quite:
"you'll have 30 minutes before the exploit worms start knocking on 
doors, I say."
http://weblion.psu.edu/chatlogs/%23plone/2011/02/02.txt

But probably not
"I have doubts if there will be an exploit script ever"
http://weblion.psu.edu/chatlogs/%23plone/2011/02/09.txt
anymore...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ