You are here: Foswiki>Support Web>SecurityAlert-CVE-2012-6330 (14 Dec 2012, GeorgeClark)Edit Attach

Security Alert: Denial-of-Service vulnerability in MAKETEXT macro

Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

This advisory alerts you of a potential security issue with your Foswiki installation. A vulnerability has been reported against the Foswiki %MAKETEXT{}% macro, which Foswiki uses to provide translations. Because of this vulnerability it may be possible for a user to exhaust the server of memory and swap space using a crafted %MAKETEXT% macro. If your wiki allows commenting by users without first logging in, then it may be possible for such an anonymous user to exploit this vulnerability.

Severity Level
MITRE Name for this Vulnerability
Vulnerable Software Versions

Severity Level

Severity 1 issue: The web server can be compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2012-6330 to this vulnerability.

Vulnerable Software Versions

Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6

To be fixed in Foswiki 1.1.7

Attack Vectors

Editing wiki pages and HTTP POST requests towards a Foswiki server with enabled localization (typically port 80/TCP). Typically, prior authentication is necessary.

A crafted %MAKETEXT{}% macro can consume all memory leading to a possible system crash. Any user with the authority to edit a topic, comment on a topic, or execute the Foswiki rendering code (eg. The RenderPlugin) can take advantage of the vulnerability.

Impact

Exhaustion of system swap space and memory, leading to Denial of Service

A critical remote code execution vulnerability (SecurityAlert-CVE-2012-6329) is also addressed by the patches in this alert. Refer to that alert for further information.

Details

A crafted %MAKETEXT{}% macro can cause multiple issues:

Execute arbitrary code on the server by passing unsanitized strings to Locale::Maketext. (CVE-2012-6329)
Consume memory and swap space resulting in potential lockup or crash due to %<nop>MAKETEXT{}% not validating the parameter numbers supplied in the [_nnn] tokens. (CVE-2012-6330)
Cause an exception within Foswiki, also due to invalid parameters in [_nnn] tokens

Countermeasures

One of the following should be done as soon as possible.

Manually Apply hotfix (see patch below). or
Apply the http://foswiki.org/Extensions/PatchItem12285Contrib to your Foswiki 1.1.x system (Does not apply to Foswiki 1.0.x) or
The foswiki debian package has already been updated with the hotfix - use your preferred package management tool to update to foswiki 1.1.6-2

Note that Disable {UserInerfaceInternationalization} in your LocalSite.cfg will avoid the code execution vulnerability reported as SecurityAlert-CVE-2012-6329 but this other issue will still remain.

Upgrade to the latest patched production FoswikiRelease01x01x07 once released

The Foswiki patch fixes other issues with the %MAKETEXT% macro beyond the out of memory issue. Even with this patch installed, we recommend that a new Locale::Maketext is also upgraded to 1.23 or later

Hotfix for Foswiki Release 1.1.0 - 1.1.6

Install Extensions.PatchItem12285Contrib, and verify that the patch has been applied to lib/Foswiki/Macros/MAKETEXT.pm. The extension will attempt to apply two patches, and should report that 1 file was patched. Only one of the patches will match your system. This patch fixes both SecurityAlert-CVE-2012-6329 and SecurityAlert-CVE-2012-6330.

Running Post-install exit for PatchItem12285Contrib...
Processing /var/www/data/Foswiki-1.1.1/working/configure/patch/Item12285-001.patch
...
MD5 Matched - applying patch version Foswiki 1.1.0 - 1.1.2.
Update successful for /var/www/data/Foswiki-1.1.0/lib/Foswiki/Macros/MAKETEXT.pm
.
1 file patched
...
Processing /var/www/data/Foswiki-1.1.1/working/configure/patch/Item12285-002.patch
...
No files matched patch signatures

On a properly patched system, %MAKETEXT{" [_101] "}% should return an error. Excessive parameter number 101, MAKETEXT rejected.

Note that this Contrib will also install the PatchFoswikiContrib as a prerequisite. PatchFoswikiContrib patches the Extensions installer to accept the new style version strings used for modules released as of 1.1.6.

Hotfix for Foswiki Archived Release 1.0.0-1.0.10

This patch fixes both SecurityAlert-CVE-2012-6329 and SecurityAlert-CVE-2012-6330.

This release should be manually patched. In Foswiki.pm, in the sub MAKETEXT

--- Foswiki.pm  2010-01-17 09:16:20.000000000 -0500
+++ Foswiki.pm.new      2012-12-10 10:06:37.389129654 -0500
@@ -4200,6 +4200,9 @@
     $str =~
 s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
 
+    return "Illegal parameter number" if ($max > 100);
+    $str =~ s#\\#\\\\#g;
+
     # get the args to be interpolated.
     my $argsStr = $params->{args} || "";

Manual patch for Foswiki Release 1.1.0 -> 1.1.2

Installing the PatchItem12285Contrib is the best way to patch your system - you can however see the patch we apply here. This patch fixes both SecurityAlert-CVE-2012-6329 and SecurityAlert-CVE-2012-6330:

~~~PATCH 72c86f0c71519caf6d26efbe174739f6  lib/Foswiki/Macros/MAKETEXT.pm (Foswiki 1.1.0 - 1.1.2)
--- /home/gac/Foswiki/Foswiki-1.1.0/lib/Foswiki/Macros/MAKETEXT.pm   2010-10-04 11:26:34.000000000 -0400
+++ lib/Foswiki/Macros/MAKETEXT.pm   2012-12-11 11:26:04.034507184 -0500
@@ -4,9 +4,19 @@
 use strict;
 use warnings;
 
+use Locale::Maketext;
+my $escape =
+  (      $Foswiki::cfg{UserInterfaceInternationalisation}
+      && $Locale::Maketext::VERSION
+      && $Locale::Maketext::VERSION < 1.23 );
+
 sub MAKETEXT {
     my ( $this, $params ) = @_;
 
+    my $max;
+    my $min;
+    my $param_error;
+
     my $str = $params->{_DEFAULT} || $params->{string} || "";
     return "" unless $str;
 
@@ -18,15 +28,22 @@
     $str =~ s/~~\[/~[/g;
     $str =~ s/~~\]/~]/g;
 
+    $max         = 0;
+    $min         = 1;
+    $param_error = 0;
+
     # unescape parameters and calculate highest parameter number:
-    my $max = 0;
-    $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+    $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min, $param_error)/ge;
     $str =~
-s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error)/ge;
+    return $str if ($param_error);
 
     # get the args to be interpolated.
     my $argsStr = $params->{args} || "";
 
+    # Escape any escapes.
+    $str =~ s#\\#\\\\#g if ($escape);    # escape any escapes
+
     my @args = split( /\s*,\s*/, $argsStr );
 
     # fill omitted args with zeros
@@ -47,6 +64,26 @@
     return $result;
 }
 
+sub _validate {
+
+    #my ( $contents, $number, $max, $min, $param_error ) = @_
+
+    $_[2] = $_[1] if ( $_[1] > $_[2] );    # Record maximum param number
+    $_[3] = $_[1] if ( $_[1] < $_[3] );    # Record minimum param number
+
+    if ( $_[1] > 100 ) {
+        $_[4] = 1;                         # Set error flag
+        return
+"<span class=\"foswikiAlert\">Excessive parameter number $_[2], MAKETEXT rejected.</span>";
+    }
+    if ( $_[1] < 1 ) {
+        $_[4] = 1;                         # Set error flag
+        return
+"<span class=\"foswikiAlert\">Invalid parameter <code>\"$_[0]\"</code>, MAKETEXT rejected.</span>";
+    }
+    return "[$_[0]]";    # Return the complete bracket parameter without escapes
+}
+
 1;
 __END__
 Foswiki - The Free and Open Source Wiki, http://foswiki.org/

Manual patch for Foswiki Release 1.1.3 -> 1.1.6

Installing the PatchItem12285Contrib is the best way to patch your system - you can however see the patch we apply here This patch fixes both SecurityAlert-CVE-2012-6329 and SecurityAlert-CVE-2012-6330:

~~~PATCH 160f04fc478c5f9b81d2ef6c9e614074  lib/Foswiki/Macros/MAKETEXT.pm (Foswiki 1.1.3 - Foswiki 1.1.6)
--- lib/Foswiki/Macros/MAKETEXT.pm   2012-12-11 10:51:12.959268829 -0500
+++ lib/Foswiki/Macros/MAKETEXT.pm.new   2012-12-11 10:37:31.674486503 -0500
@@ -4,9 +4,19 @@
 use strict;
 use warnings;
 
+use Locale::Maketext;
+my $escape =
+  (      $Foswiki::cfg{UserInterfaceInternationalisation}
+      && $Locale::Maketext::VERSION
+      && $Locale::Maketext::VERSION < 1.23 );
+
 sub MAKETEXT {
     my ( $this, $params ) = @_;
 
+    my $max;
+    my $min;
+    my $param_error;
+
     my $str = $params->{_DEFAULT} || $params->{string} || "";
     return "" unless $str;
 
@@ -18,15 +28,22 @@
     $str =~ s/~~\[/~[/g;
     $str =~ s/~~\]/~]/g;
 
+    $max         = 0;
+    $min         = 1;
+    $param_error = 0;
+
     # unescape parameters and calculate highest parameter number:
-    my $max = 0;
-    $str =~ s/~\[(\_(\d+))~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+    $str =~ s/~\[(\_(\d+))~\]/_validate($1, $2, $max, $min, $param_error)/ge;
     $str =~
-s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ $max = $2 if ($2 > $max); "[$1]"/ge;
+s/~\[(\*,\_(\d+),[^,]+(,([^,]+))?)~\]/ _validate($1, $2, $max, $min, $param_error)/ge;
+    return $str if ($param_error);
 
     # get the args to be interpolated.
     my $argsStr = $params->{args} || "";
 
+    # Escape any escapes.
+    $str =~ s#\\#\\\\#g if ($escape);    # escape any escapes
+
     my @args = split( /\s*,\s*/, $argsStr );
 
     # fill omitted args with empty strings
@@ -47,6 +64,26 @@
     return $result;
 }
 
+sub _validate {
+
+    #my ( $contents, $number, $max, $min, $param_error ) = @_
+
+    $_[2] = $_[1] if ( $_[1] > $_[2] );    # Record maximum param number
+    $_[3] = $_[1] if ( $_[1] < $_[3] );    # Record minimum param number
+
+    if ( $_[1] > 100 ) {
+        $_[4] = 1;                         # Set error flag
+        return
+"<span class=\"foswikiAlert\">Excessive parameter number $_[2], MAKETEXT rejected.</span>";
+    }
+    if ( $_[1] < 1 ) {
+        $_[4] = 1;                         # Set error flag
+        return
+"<span class=\"foswikiAlert\">Invalid parameter <code>\"$_[0]\"</code>, MAKETEXT rejected.</span>";
+    }
+    return "[$_[0]]";    # Return the complete bracket parameter without escapes
+}
+
 1;
 __END__
 Foswiki - The Free and Open Source Wiki, http://foswiki.org/

Action Plan with Timeline

2012-12-05 - The Locale::Maketext vulnerability was discussed on the Perl5Porters email list, triggered review of Foswiki code.
2012-12-05 - Patched version (1.23) of Locale::Maketext is released.
2012-12-08 - The [_999999] DoS issue identified and sent to foswiki security list.
2012-12-09 - The "remote execution" vulnerability in Locale::Maketext was confirmed on Foswiki.
2012-12-09 - Requested the CVE from MITRE.
2012-12-09 - TWiki notified of the Vulnerability.
2012-12-10 - Developer fixes code (George Clark) and security team validates the fixes.
2012-12-10 - Extensions.PatchItem12285Contrib released for Foswiki 1.1.x
2012-12-10 - Security team creates advisory with hotfix. Announcement delayed for coordination with TWiki (George Clark)
2012-12-12 - Updated Debian packages released (Sven Dowideit)
2012-12-12 - Send alert to foswiki-announce and foswiki-discuss mailing lists ( )
2012-12-14 - Publish advisory in Support web and update all related topics ( )
2012-12-14 - Reference to public advisory on Download page and Known Issues ( )
2012-xx-xx - Release Manager builds patch release ( )
2012-xx-xx - Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org) ( )