[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Plone CVE-2011-0720 details



This is in regards to CVE-2011-0720, a Plone vulnerability announced in 
early February.
http://plone.org/products/plone/security/advisories/cve-2011-0720

As noted on
http://www.securityfocus.com/bid/46102/exploit
"An attacker can exploit this issue using a browser."

To fill in a few more details:

Plone is implemented with Zope -- an object oriented system web 
application framework. Many Zope objects can be referenced by url of a 
file system like hierarchy formed by object names. Methods of such 
objects are thus addressable as 
/path_to_parent_object/path_to_object/name_of_method . Arguments as 
listed in these function definitions co-respond to field names as per 
standard URL encoding (http://en.wikipedia.org/wiki/Percent-encoding.

Object paths consist of object names and are not necessarily related by 
type. To search by object type, use the find feature in the Zope 
Management Interface.

I studied the released hotfix and documented co-responding patches in 
the subversion repositories that were slated to go into Plone 4.0.4 . 
(easier than reading the hotfix)
http://dl.dropbox.com/u/16487130/plone_4.0.4_security_patches.txt

Used the Zope Management Interface find feature in my own test 
deployment of Plone 4.0.3 to find objects of the affected types.

Searching for type "Pluggable Auth Service" (PAS) as patched by
http://dev.plone.org/collective/changeset/232213
was most fruitful. On default Plone installations a PAS can be found in 
/acl_users/ for each installed site.

The exposed getUsers and userSetPassword methods are a fairly dangerous 
combination that can be exploited by anonymous attackers. Other 
functions are of more limited value or require stronger permissions.

These methods are also listed in the log checker
http://plone.org/products/plone-hotfix/releases/CVE-2011-0720/logchecker.py
but with the /acl_users/ part absent.

--- End Details ---


On the matter of disclosure gap and necessary capabilities:

I spent around 16 waking hours and 26 clock hours to go from having seen 
the original vulnerability announcement to exploiting. This is in my 
guess a high upper bound for the capabilities required to go from "vuln" 
to "sploit".

I had only user-level prior familiarity with Plone and no prior 
familiarity with Zope.

To test if someone else could reasonably translate these public 
vulnerability details into an exploit, I presented the basic knowledge 
of Zope URL based invocation and how I found /acl_users/, and pointed to 
the above relevant patch over the course of 2 hours at a 
competition/talk on March 19th. Another individual was able to identify 
the appropriate function name and arguments with an additional hour, 
escalated to an administrator account, and vandalized a test site 
running for the occasion.
http://www.skullspace.ca/blog/2011/03/hackathon-4-was-a-huge-success/

I regret that a recording was not made despite best efforts and that my 
slides are of such limited detail to not warrant publication.
(this email has way more useful information)

Though both myself and the other individual have programming 
backgrounds, I guess that a moderately determined individual without 
such capabilities could also close the disclosure gap.

The crucial step of finding /acl_users/ with the find feature in ZMI is 
an interactive, "play and use", kind of step. Finding the relevant 
function name is a matter of reading. The direct relationship between 
the method names and argument names with the URLs is spelled out in 
multiple Zope tutorials.

Correct me if I'm wrong, but I believe this post is the first public 
comment to go beyond the patches, hotfix, and logchecker released by the 
Plone foundation.


Mark Jenkins

p.s.

In the end, not quite:
"you'll have 30 minutes before the exploit worms start knocking on 
doors, I say."
http://weblion.psu.edu/chatlogs/%23plone/2011/02/02.txt

But probably not
"I have doubts if there will be an exploit script ever"
http://weblion.psu.edu/chatlogs/%23plone/2011/02/09.txt
anymore...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/