Advisory 01/2007: TikiWiki Remote PHP Code Evaluation Vulnerability

                          SektionEins GmbH
                         www.sektioneins.de

                      -= Security  Advisory =-

     Advisory: TikiWiki Remote PHP Code Evaluation Vulnerability
 Release Date: 2007/10/29
Last Modified: 2007/10/29
       Author: Stefan Esser [stefan.esser[at]sektioneins.de]

  Application: TikiWiki <= 1.9.8.1
     Severity: Remote PHP code execution when TikiWiki's
               sheet feature is activated
         Risk: Medium
Vendor Status: Vendor has released TikiWiki 1.9.8.2 which fixes this issue
    Reference: http://www.sektioneins.de/advisories/advisory-012007-tikiwiki-remote-php-code-evaluation-vulnerability.html

Overview:

   Quote from http://www.tikiwiki.org
   "TikiWiki (Tiki) is your Groupware/CMS (Content Management System)
    solution. Tiki has the features you need:
    * Wikis (like Mediawiki)
    * Forums (like phpBB)
    * Blogs (like WordPress)
    * Articles (like Digg)
    * Image Gallery (like Flickr)
    * Map Server (like Google Maps)
    * Link Directory (like DMOZ)
    * Translation and i18n (like Babel Fish)"

   TikiWiki 1.9.8.1 fixes a broken white-list check (CVE-2007-5423)
   that is supposed to protect against arbitrary PHP code injection
   in a call to create_function(). When we analysed the bugfix we
   discovered that while the reported bug in the white-list check
   is now repaired, it is still possible to execute arbitrary PHP
   code by only using the strings allowed in the white-list.

   However since TikiWiki 1.9.8.1 the vulnerability can only be
   triggered if the 'sheet' feature of TikiWiki is activated in the
   configuration.

Details:

   TikiWiki's tiki-graph_formula.php creates an anonymous function
   with PHP's create_function() to dynamically evaluate a mathematical
   function supplied by the user through the 'f' URL parameter.

   To protect against arbitrary PHP code execution the TikiWiki
   developers have combined a blacklist and white-list approach. On
   the one hand they have blacklisted three characters and on the
   other hand they only allow certain alphanumerical strings in the
   user input.

   The three blacklisted characters are

      ` - Allows execution of shell commands
      ' - String delimiter
      " - String delimiter

   The white-list of allowed alphanumerical string does only contain
   mathematical function names like: sin, cos, tan, pow, ...

   When TikiWiki was audited by ShAnKaR he discovered that the
   white-list check was incorrectly implemented and it was therefore
   possible to execute any PHP function. This vulnerability is known
   as CVE-2007-5423 and was fixed with the TikiWiki 1.9.8.1 update.

   Unfortunately the repaired white-list does not protect against
   arbitrary PHP code execution because PHP supports variable
   functions and variable variables.

      $varname = 'othervar';
      $$varname = 4;  // set $othervar to 4

      $funcname = 'chr';
      $funcname(95);  // call chr(95)

   Because TikiWiki's blacklist does not protect against the '$'
   character, the injected PHP formulas can use temporary variables
   like $sin, $cos, $tan, ...

   It is therefore obvious that the protection can be bypassed by
   filling the temporary variables with strings representing names
   of other functions. Because of TikiWiki's black- and white-list
   this is a little bit tricky but possible.

   First of all it seems hard to get any string at all into one
   of our temporary variables because all allowed functions only
   return numbers. There are however two PHP features that help:
   array to string conversion and handling of unknown constants.

     $sin=cosh;       // cosh is an unknown constant.
                      // PHP assumes the string 'cosh' as value

     $sin[]=pi();     // Creates an array
     $sin=$sin.$sin;  // Stringconcats of arrays. Array to string
                      // conversion. Becomes 'ArrayArray'

   Using these tricks in combination with the ++ Operator that
   also allows incrementing alphanumerical strings it is possible
   to for example call the chr() function like this.

      $tan=pi()-pi();   // Get 0 into $tan
      $sin=cosh;        // Get the string 'cosh' into $sin
      $min=$sin[$tan];  // Get 'c' into $min
      $tan++;           // Get 1 into $tan
      $min.=$sin[$tan+$tan+$tan] // Append 'h' to 'c'
      $min.=$sin[$tan]; // Append 'o' to 'ch'
      $min++;           // Increment 'cho' to 'chp'
      $min++;           // Increment 'chp' to 'chq'
      $min++;           // Increment 'chq' to 'chr'
      $min($tan)        // Call chr(1)

   With access to the chr() function it is possible to create
   all kind of strings and therefore call any other function,
   which obviously leads to arbitrary PHP code execution.

Proof of Concept:

   SektionEins GmbH is not going to release a proof of concept
   exploit for this vulnerability.

Disclosure Timeline:

   14. October 2007 - Notified security@tikiwiki.org, patch in CVS
   25. October 2007 - TikiWiki developers released TikiWiki 1.9.8.2
   26. October 2007 - TikiWiki developers released TikiWiki 1.9.8.3
   29. October 2007 - Public Disclosure

Recommendation:

   It is strongly recommended to upgrade to the latest version of
   TikiWiki which also fixes additional vulnerabilities reported by
   third parties.

   Grab your copy at:

   http://info.tikiwiki.org/tiki-index.php?page=Get+Tiki

CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CVE-2007-5682 to this vulnerability.

GPG-Key:

   http://www.sektioneins.de/sektioneins-signature-key.asc

   pub  1024D/48A1DB12 2007-10-04 SektionEins GmbH - Signature Key
   Key fingerprint = 4462 A777 4237 E292 F52D  5AFE 7C9C C1AF 48A1 DB12

Copyright 2007 SektionEins GmbH. All rights reserved.