Home page logo

fulldisclosure logo Full Disclosure mailing list archives

The true story of TWiki vuln (exploit included)
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Mon, 15 Nov 2004 23:03:36 +0100

Hash: SHA1

[ In response to:
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0022.html ]

Dear Hans,

It is not a commendable action to make people believe that you found a
vulnerability which you really have not discovered. I don't know if
you did it on purpose. I prefer to believe you didn't but it is
reasonable to think that publishing it without *clearly* stating its
procedence could lead people to misunderstanding. This thought may be
easily strengthen by the fact that you forced an "uncoordinated
emergency disclosure" (as read in your advisory) just when I was
coordinating my own advisory with Peter Thoeny (main developer and
author of TWiki). Exposed facts caused me a sense of indignation so I
started to investigate the issue. Before writing this public response,
I talked to many different people/sources and different point of views
and mails were exchanged. Things got complicated by the fact that you
seem to belong to a well-known and reputable security organization
(whose name I won't disclose here to avoid any suspicion and to show
my respect to it) and your action was (or at least seemed to be)
unethical, as recognized by some of the more representative members of
your (presumible) organization.

To summarize the results and have some semi-impartial view, I have
attached a mail from Peter where he publicly explains the timeline
followed in the disclosure (judge by yourself). He also drops some
personal thoughts which I don't necessarily share. Btw, mine are:
1) Peter didn't know how to coordinate the issue or at least he was
not fast enough.
2) Hans rushed the publication of the advisory and masked it, perhaps
in the mood for fame (last comment is subjective).
3) As result of 1+2, Hans and me couldn't meet before all this mess,
which would have been avoided almost for sure.

I have been accused to have hidden my discovery during aprox. two
months with presumibly obscure purposes. Well, it is true that I knew
about the discussed issues for that time, but my reasons have been
completely disrupted. *I don't have anything to hide*. I'm an
independant researcher and I like researching vulnerabilities only for
fun. I also like to spend my time and enjoy my spare time without any
hurry. Apart from this, believe it or not, but I have been very busy
during past months. For instance, in past two months I got married
with a lovely girl, went to honey-moon... Don't want to know all the
details, eh? :-) Strictly speaking about computers, I'm also involved
in other projects and to be honest, TWiki was/is not prioritary to me
(I was looking for a WikiWiki software to use; when I accidentally
discovered the backsticks bug, I fastly switched to consider other
similar software like Phpwiki).

I consider myself as a pro full-disclosure man and I like to publish
my works. But Peter, don't go wrong by blaming me of the hack of two
machines due to my delayed disclosure: *full disclosure is a
privilege, not a right for any developer*. Full-disclosers often
invest their time in helping community to enhace the security of many
applications and/or fixing bugs _the developers commit_.

Something similar applies to you, Hans: running a 2.4.20 kernel is not
precisely what I'd call a good job for a responsible and/or
security-conscious sys-admin...

It's funny to read Peter's statement:
"The vulnerability was known to Roman for 2 month, but he did 
not inform the TWiki developers. _Damage on two sites could have
been prevented._".
Apart from my personal reasons (which I already explained), it's easy
to refute and rewrite your paragraph:
"TWiki developers wrote buggy code. _Damage on two sites could have
been prevented if they had known basic principles about security".
Haven't you think about that possibility? Sorry, guys but once again,
judge for yourself ;-)

Moreover, I've just received a phone call some minutes ago stating
that TWiki vulnerability was known for at least 1 year!! Woo!! If that
is true, it would mean that other people independently discovered the
same vulnerability before me, fact which doesn't surprise me, taking
into account the silly and simple nature of the bug. Anybody could
have discover it. I'm not particularly proud of my research in TWiki,
it doesn't require very high skills. Not at all, indeed. But one of
the things that sicken me is people getting credits that they don't
deserve. That's the main reason of this post.

Having said that, and for the rest of people who doesn't know what's
this story about, forget it and enjoy the attached exploit. It's beta
but it works (against TWiki "BeijingRelease" [1]; I did a quick test
against "CairoRelease" [2] and it doesn't work for it). Proxy and HTTP
auth is supported. Win32/Unix compatible. And please remember: use at
your own risk.

Finally, I'd like to clearly state that I take no responsibility of
any hacked machine due to this bug being exploited, in the past,
present or future. I don't approve/support the hack of any machine,
including machines belonging to certain referred organization and/or
administered by Hans Ulrich. I like researching and writing exploits
for fun. But attacking machines... simply it's not my style.

That's all I have to say about this issue. I won't enter any flame war
and I will not respond to any post regarding this matter, either.

PS: References:
[1] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003.
[2] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004


- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>



PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Attachment: disclose_timeline.txt

Attachment: tweaky.pl

  By Date           By Thread  

Current thread:
  • The true story of TWiki vuln (exploit included) Roman Medina-Heigl Hernandez (Nov 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]