-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ In response to: http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0022.html ] Dear Hans, It is not a commendable action to make people believe that you found a vulnerability which you really have not discovered. I don't know if you did it on purpose. I prefer to believe you didn't but it is reasonable to think that publishing it without *clearly* stating its procedence could lead people to misunderstanding. This thought may be easily strengthen by the fact that you forced an "uncoordinated emergency disclosure" (as read in your advisory) just when I was coordinating my own advisory with Peter Thoeny (main developer and author of TWiki). Exposed facts caused me a sense of indignation so I started to investigate the issue. Before writing this public response, I talked to many different people/sources and different point of views and mails were exchanged. Things got complicated by the fact that you seem to belong to a well-known and reputable security organization (whose name I won't disclose here to avoid any suspicion and to show my respect to it) and your action was (or at least seemed to be) unethical, as recognized by some of the more representative members of your (presumible) organization. To summarize the results and have some semi-impartial view, I have attached a mail from Peter where he publicly explains the timeline followed in the disclosure (judge by yourself). He also drops some personal thoughts which I don't necessarily share. Btw, mine are: 1) Peter didn't know how to coordinate the issue or at least he was not fast enough. 2) Hans rushed the publication of the advisory and masked it, perhaps in the mood for fame (last comment is subjective). 3) As result of 1+2, Hans and me couldn't meet before all this mess, which would have been avoided almost for sure. I have been accused to have hidden my discovery during aprox. two months with presumibly obscure purposes. Well, it is true that I knew about the discussed issues for that time, but my reasons have been completely disrupted. *I don't have anything to hide*. I'm an independant researcher and I like researching vulnerabilities only for fun. I also like to spend my time and enjoy my spare time without any hurry. Apart from this, believe it or not, but I have been very busy during past months. For instance, in past two months I got married with a lovely girl, went to honey-moon... Don't want to know all the details, eh? :-) Strictly speaking about computers, I'm also involved in other projects and to be honest, TWiki was/is not prioritary to me (I was looking for a WikiWiki software to use; when I accidentally discovered the backsticks bug, I fastly switched to consider other similar software like Phpwiki). I consider myself as a pro full-disclosure man and I like to publish my works. But Peter, don't go wrong by blaming me of the hack of two machines due to my delayed disclosure: *full disclosure is a privilege, not a right for any developer*. Full-disclosers often invest their time in helping community to enhace the security of many applications and/or fixing bugs _the developers commit_. Something similar applies to you, Hans: running a 2.4.20 kernel is not precisely what I'd call a good job for a responsible and/or security-conscious sys-admin... It's funny to read Peter's statement: "The vulnerability was known to Roman for 2 month, but he did not inform the TWiki developers. _Damage on two sites could have been prevented._". Apart from my personal reasons (which I already explained), it's easy to refute and rewrite your paragraph: "TWiki developers wrote buggy code. _Damage on two sites could have been prevented if they had known basic principles about security". Haven't you think about that possibility? Sorry, guys but once again, judge for yourself ;-) Moreover, I've just received a phone call some minutes ago stating that TWiki vulnerability was known for at least 1 year!! Woo!! If that is true, it would mean that other people independently discovered the same vulnerability before me, fact which doesn't surprise me, taking into account the silly and simple nature of the bug. Anybody could have discover it. I'm not particularly proud of my research in TWiki, it doesn't require very high skills. Not at all, indeed. But one of the things that sicken me is people getting credits that they don't deserve. That's the main reason of this post. Having said that, and for the rest of people who doesn't know what's this story about, forget it and enjoy the attached exploit. It's beta but it works (against TWiki "BeijingRelease" [1]; I did a quick test against "CairoRelease" [2] and it doesn't work for it). Proxy and HTTP auth is supported. Win32/Unix compatible. And please remember: use at your own risk. Finally, I'd like to clearly state that I take no responsibility of any hacked machine due to this bug being exploited, in the past, present or future. I don't approve/support the hack of any machine, including machines belonging to certain referred organization and/or administered by Hans Ulrich. I like researching and writing exploits for fun. But attacking machines... simply it's not my style. That's all I have to say about this issue. I won't enter any flame war and I will not respond to any post regarding this matter, either. PS: References: [1] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003. [2] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004 Cheers, --Roman - -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBQZkZQuR/in3q1WdCEQJpXQCfeU4HGgs/9U1MN7HmxXmNiLLAvpIAoOL+ IrrG3iWJVPlYl5xtpUmL/EOF =vAnB -----END PGP SIGNATURE----- Saludos, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
Date: Sun, 14 Nov 2004 17:11:30 -0800
From: Peter Thoeny <peter.thoeny@xxxxxxxxxxxxx>
To: Hans Ulrich Niedermann <hun@xxxxxxxx>
Cc: Roman Medina-Heigl Hernandez <roman@xxxxxxxxxxx>, public@*.de
Subject: Re: Lame TWiki advisory
All:
I am not participating in flame wars. I am just pointing
out the facts. I do not care who discovered it first, my
highest priority is that public TWikis are safe and secured
before crackers can take advantage of vulnerabilities.
1. At TWiki.org we have a process defined of how to handle
security issues. It is clearly marked in the BugReport page,
http://TWiki.org/cgi-bin/view/Codev/BugReport :
"Important: In case you think that you discovered a security
issue that could potentially compromise public TWiki
installations, please contact one of the CoreTeam members
by e-mail. We will follow up in a timely manner with a fix
and will inform administrators before the issue gets public."
2. Roman contacted me on Thursday that he discovered a
vulnerability and that he wants to prepare a security
advisory. I replied on the same day with recommended actions
based on our process.
3. Friday morning: Andreas Thienemann, Benjamin Schweizer inform
me on of the vulnerability. At that time we did not know what
caused it. Andreas and I exchanged some e-mail to narrow down the
issue. Andreas forwarded me the log entries of a hacked server.
Based on this I could verify and identify the vulnerability.
4. I create a quick fix, fixed TWiki.org, created a quick advisory
and informed the TWiki community via twiki-dev mailing list. I
also sent the quick fix to Andreas and Benjamin. Then I went to
work.
6. While I was at work, without access to home e-mail:
- Roman sent an e-mail with a search example demonstrating the
vulnerability.
- Hans Ulrich sent me two drafts of an advisory.
5. Friday afternoon: I returned home early because of the issue
and read the e-mails. I made a more robust fix, compiled the
e-mail addresses of several hundred TWiki admins and sent out
the advisory based on Hans Ulrich's version, with some mods.
6. I forwarded the revised advisory to Hans Ulrich, but he already
released it to the public.
Overall the issue got handled in a timely manner once I got to
know about the vulnarability. However these things did not work
well:
- I did not get Hans Ulrich and Roman in touch quickly enough
on Friday.
- The advisory went out uncoordinated, bypassing a grace period
for TWiki admins to fix the hole. (I know that the vulnerability
was already known by hackers, but only by a few. Once an advisory
is made available publicly the whole world knows). _This is not
in line with our published process and possibly compromises other
public TWiki sites._
- The vulnerability was known to Roman for 2 month, but he did
not inform the TWiki developers. _Damage on two sites could have
been prevented._
Regards,
Peter
Attachment:
tweaky.pl
Description: Binary data