Dealing with CVE-2012-6081

On this page, there are specific hints about the twikidraw/anywikidraw plugin related remote code execution vulnerability.

HowToHandleSecurityBreach has rather generic hints about how to deal with a security breach (which are not repeated here, so please read that generic page first) - you can also link to that page to inform other admins or users.

The issue / what happened

The wiki software MoinMoin (< 1.9.6) had a vulnerability (CVE-2012-6081), that could be used to create a file in the MoinMoin action plugin directory. The file created there by the attacker was both a valid tar file (created from data provided by the attacker, by the vulnerable twikidraw/anywikidraw action plugin of MoinMoin) and also valid python code, loadable as a MoinMoin action plugin. The file could get created there because of the vulnerability (but only if the MoinMoin plugin directory on the filesystem was writable by that uid AND if the attacker found some wiki page with write ACL permissions on the wiki).

The "moinexec" action plugin that was created by the attacker essentially functioned as a backdoor, executing arbitrary commands under this uid/gid and returning the output of the commands as HTTP response. Usually the backdoor was installed as data/plugin/action/moinexec.py(c) - but of course any other filename (or plugin directory) could have been used also.

Note: it seems like the moinexec.py exploit code is in use since at least July 25, 2012. if you want to check if some exploit has been installed on your server, search your logs for moinexec (but note that also any other name for the exploit could have been used, so also search for suspicious twikidraw/anywikidraw activity).

Note: at least one exploit attempts to overwrite moin.wsgi.

The attacker(s) used the Tor network to hide their real IP addresses and location.

Impact

After installing the backdoor, the attacker could read/write any files or execute any code using the wiki process uid/gid.

Your TODO as wiki admin

Checking whether you run fixed moin code

If you run a wiki with MoinMoin version >=1.9.0 and < 1.9.6, make sure you have the fixes for CVE-2012-6081 applied:

• fix remote code execution vulnerability in twikidraw/anywikidraw actions

• (you may also want to check whether it has other fixes from page SecurityFixes)

The standard release downloads for moin < 1.9.6 do not have these fixes. If you install / maintain your moin manually, you need to upgrade to >= 1.9.6 or apply the patches manually (not recommended).

Security-maintained Linux (or other) distribution packages might have patched/fixed other versions, please read the changelog (or check the code).

Immediate Workaround

Stop the wiki. Put this into your wiki config, into "class Config" (like all other config settings, make sure you indent it correctly). Also make sure you do not override this setting in the same or an inherited config:

•     # actions excluded by default configuration (please check what you need): xmlrpc, MyPages, CopyPage
      # important: exclude the vulnerable drawing actions: twikidraw, anywikidraw
      # also disallow moinexec in case the remote shell action (under the usual name they used) is already installed on your system
      actions_excluded = ['xmlrpc', 'MyPages', 'CopyPage', 'moinexec', 'twikidraw', 'anywikidraw', ]

• Start the wiki.

• check if that wiki markup works: {{drawing:mytest.tdraw}} {{drawing:anywikitest.adraw}} (it should give a message that twikidraw and anywikidraw is an unknown action if you click on the links visible on the wiki page containing that markup).

• twikidraw/anywikidraw drawings won't work any more now (and also the exploit won't work any more).
• Note: image attachments (png, jpg, ...) will still work (they are not dangerous).

Improving password hash security

While the vulnerability is fixed in 1.9.6 (or another version patched with the fixes), we recommend you rather use >= 1.9.7 (or another version patched with passlib support) to have the stronger hashes and some support scripts we made to help admins deal with the situation.

The default password hash with passlib support enabled will be sha512_crypt, which is about a million times slower to crack than salted-sha1.

1.9.7 also has an improved moin account resetpw script to help you doing a global password reset / forced hash upgrade and notifying your users about it.