[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Plone CVE-2011-0720 details
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Plone CVE-2011-0720 details
- From: Mark Jenkins <mark@xxxxxxxx>
- Date: Sun, 17 Apr 2011 21:25:49 -0500
This is in regards to CVE-2011-0720, a Plone vulnerability announced in
early February.
http://plone.org/products/plone/security/advisories/cve-2011-0720
As noted on
http://www.securityfocus.com/bid/46102/exploit
"An attacker can exploit this issue using a browser."
To fill in a few more details:
Plone is implemented with Zope -- an object oriented system web
application framework. Many Zope objects can be referenced by url of a
file system like hierarchy formed by object names. Methods of such
objects are thus addressable as
/path_to_parent_object/path_to_object/name_of_method . Arguments as
listed in these function definitions co-respond to field names as per
standard URL encoding (http://en.wikipedia.org/wiki/Percent-encoding.
Object paths consist of object names and are not necessarily related by
type. To search by object type, use the find feature in the Zope
Management Interface.
I studied the released hotfix and documented co-responding patches in
the subversion repositories that were slated to go into Plone 4.0.4 .
(easier than reading the hotfix)
http://dl.dropbox.com/u/16487130/plone_4.0.4_security_patches.txt
Used the Zope Management Interface find feature in my own test
deployment of Plone 4.0.3 to find objects of the affected types.
Searching for type "Pluggable Auth Service" (PAS) as patched by
http://dev.plone.org/collective/changeset/232213
was most fruitful. On default Plone installations a PAS can be found in
/acl_users/ for each installed site.
The exposed getUsers and userSetPassword methods are a fairly dangerous
combination that can be exploited by anonymous attackers. Other
functions are of more limited value or require stronger permissions.
These methods are also listed in the log checker
http://plone.org/products/plone-hotfix/releases/CVE-2011-0720/logchecker.py
but with the /acl_users/ part absent.
--- End Details ---
On the matter of disclosure gap and necessary capabilities:
I spent around 16 waking hours and 26 clock hours to go from having seen
the original vulnerability announcement to exploiting. This is in my
guess a high upper bound for the capabilities required to go from "vuln"
to "sploit".
I had only user-level prior familiarity with Plone and no prior
familiarity with Zope.
To test if someone else could reasonably translate these public
vulnerability details into an exploit, I presented the basic knowledge
of Zope URL based invocation and how I found /acl_users/, and pointed to
the above relevant patch over the course of 2 hours at a
competition/talk on March 19th. Another individual was able to identify
the appropriate function name and arguments with an additional hour,
escalated to an administrator account, and vandalized a test site
running for the occasion.
http://www.skullspace.ca/blog/2011/03/hackathon-4-was-a-huge-success/
I regret that a recording was not made despite best efforts and that my
slides are of such limited detail to not warrant publication.
(this email has way more useful information)
Though both myself and the other individual have programming
backgrounds, I guess that a moderately determined individual without
such capabilities could also close the disclosure gap.
The crucial step of finding /acl_users/ with the find feature in ZMI is
an interactive, "play and use", kind of step. Finding the relevant
function name is a matter of reading. The direct relationship between
the method names and argument names with the URLs is spelled out in
multiple Zope tutorials.
Correct me if I'm wrong, but I believe this post is the first public
comment to go beyond the patches, hotfix, and logchecker released by the
Plone foundation.
Mark Jenkins
p.s.
In the end, not quite:
"you'll have 30 minutes before the exploit worms start knocking on
doors, I say."
http://weblion.psu.edu/chatlogs/%23plone/2011/02/02.txt
But probably not
"I have doubts if there will be an exploit script ever"
http://weblion.psu.edu/chatlogs/%23plone/2011/02/09.txt
anymore...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/