CVE-2012-6329
published 2013-01-04CVE-2012-6329: The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.60%
99.1th percentile
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | perl | < perl 5.14.2-16 (bookworm) | perl 5.14.2-16 (bookworm) |
| perl | perl | <= 5.16.2 | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
| perl | perl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect MAKETEXT injection payloads in POST body containing backslash-quote sequences followed by backtick command execution: pattern `\\'}; \`<cmd>\`; { #` ↗
- →Monitor POST requests to TWiki/Foswiki save endpoints (`/bin/save`, `/do/save`) containing `%MAKETEXT{` with embedded backtick shell metacharacters in the `text` parameter ↗
- →Successful exploitation response body contains the string `HASH` — monitor view responses for this pattern as an indicator of eval execution ↗
- →Exploitation requires `UserInterfaceInternationalisation` variable to be set; check for this in Foswiki/TWiki configuration as a prerequisite indicator ↗
- →The vulnerability is triggered via Perl `eval` on unsanitized user input in Locale::Maketext's `_compile` function; look for eval-related Perl errors or unexpected process spawning from web server processes ↗
- ·Exploitation only works on TWiki/Foswiki instances with the `UserInterfaceInternationalisation` variable enabled; sites without this setting are not vulnerable ↗
- ·Anonymous exploitation is possible if no USERNAME/PASSWORD is required by the target; the module falls back to anonymous access automatically ↗
- ·The Foswiki exploit module bypasses anti-automation via an MD5 transformation of the `validation_key` combined with `FOSWIKISTRIKEONE` cookie value; detection should account for this CSRF bypass pattern ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g4g2-w92h-7fjc: The _compile function in Maketext
ghsa_unreviewed·2022-05-17
CVE-2012-6329 [HIGH] CWE-94 GHSA-g4g2-w92h-7fjc: The _compile function in Maketext
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
OSV
CVE-2012-6329: The _compile function in Maketext
osv·2013-01-04·CVSS 7.5
CVE-2012-6329 [HIGH] CVE-2012-6329: The _compile function in Maketext
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
Ubuntu
Perl vulnerability
vendor_ubuntu·2014-02-05
CVE-2012-6329 Perl vulnerability
Title: Perl vulnerability
Summary: Perl could be made to run programs if it processed a specially crafted
Locale::Maketext templates.
It was discovered that Perl's Locale::Maketext module incorrectly handled
backslashes and fully qualified method names. An attacker could possibly
use this flaw to execute arbitrary code when an application used untrusted
templates.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
perl: possible arbitrary code execution via Locale::Maketext
vendor_redhat·2012-12-04·CVSS 7.5
CVE-2012-6329 [HIGH] perl: possible arbitrary code execution via Locale::Maketext
perl: possible arbitrary code execution via Locale::Maketext
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
Package: perl (OpenShift Enterprise 1) - Affected
Debian
CVE-2012-6329: perl - The _compile function in Maketext.pm in the Locale::Maketext implementation in P...
vendor_debian·2012·CVSS 7.5
CVE-2012-6329 [HIGH] CVE-2012-6329: perl - The _compile function in Maketext.pm in the Locale::Maketext implementation in P...
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
Scope: local
bookworm: resolved (fixed in 5.14.2-16)
bullseye: resolved (fixed in 5.14.2-16)
forky: resolved (fixed in 5.14.2-16)
sid: resolved (fixed in 5.14.2-16)
trixie: resolved (fixed in 5.14.2-16)
No detection rules found.
Exploit-DB
Foswiki MAKETEXT - Remote Command Execution (Metasploit)
exploitdb·2012-12-23·CVSS 5.0
CVE-2012-6330 [MEDIUM] Foswiki MAKETEXT - Remote Command Execution (Metasploit)
Foswiki MAKETEXT - Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Foswiki MAKETEXT Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using
a specially crafted MAKETEXT, a malicious user can execute shell commands since the
input is passed to the Perl "eval" command without first being sanitized. The
problem is caused by an underlying security issue in the CPAN:Locale::Maketext
module. Only Foswiki sites that have user interface localization enabled
(U
Exploit-DB
TWiki MAKETEXT - Remote Command Execution (Metasploit)
exploitdb·2012-12-23·CVSS 7.5
CVE-2012-6329 [HIGH] TWiki MAKETEXT - Remote Command Execution (Metasploit)
TWiki MAKETEXT - Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'TWiki MAKETEXT Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a
specially crafted MAKETEXT, a malicious user can execute shell commands since user
input is passed to the Perl "eval" command without first being sanitized. The
problem is caused by an underlying security issue in the CPAN:Locale::Maketext
module. This works in TWiki sites that have user interface localization enabled
Metasploit
TWiki MAKETEXT Remote Command Execution
metasploit
TWiki MAKETEXT Remote Command Execution
TWiki MAKETEXT Remote Command Execution
This module exploits a vulnerability in the MAKETEXT Twiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since user input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. This works in TWiki sites that have user interface localization enabled (UserInterfaceInternationalisation variable set). If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, if the 'TwikiPage' option isn't provided, the module will try to create a random page on the SandBox space. The module has been tested successfully on TWiki 5.1.2 as distributed with the official TWiki-VM-5.1.2-1 virtual machine.
Metasploit
Foswiki MAKETEXT Remote Command Execution
metasploit
Foswiki MAKETEXT Remote Command Execution
Foswiki MAKETEXT Remote Command Execution
This module exploits a vulnerability in the MAKETEXT Foswiki variable. By using a specially crafted MAKETEXT, a malicious user can execute shell commands since the input is passed to the Perl "eval" command without first being sanitized. The problem is caused by an underlying security issue in the CPAN:Locale::Maketext module. Only Foswiki sites that have user interface localization enabled (UserInterfaceInternationalisation variable set) are vulnerable. If USERNAME and PASSWORD aren't provided, anonymous access will be tried. Also, if the FoswikiPage option isn't provided, the module will try to create a random page on the SandBox space. The modules has been tested successfully on Foswiki 1.1.5 as distributed with the official Foswiki-1.1.5-vmwar
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224http://code.activestate.com/lists/perl5-porters/187746/http://code.activestate.com/lists/perl5-porters/187763/http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735http://openwall.com/lists/oss-security/2012/12/11/4http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.podhttp://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8http://rhn.redhat.com/errata/RHSA-2013-0685.htmlhttp://sourceforge.net/mailarchive/message.php?msg_id=30219695http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329http://www.mandriva.com/security/advisories?name=MDVSA-2013:113http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/56950http://www.ubuntu.com/usn/USN-2099-1https://bugzilla.redhat.com/show_bug.cgi?id=884354https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0032http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224http://code.activestate.com/lists/perl5-porters/187746/http://code.activestate.com/lists/perl5-porters/187763/http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735http://openwall.com/lists/oss-security/2012/12/11/4http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.podhttp://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8http://rhn.redhat.com/errata/RHSA-2013-0685.htmlhttp://sourceforge.net/mailarchive/message.php?msg_id=30219695http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329http://www.mandriva.com/security/advisories?name=MDVSA-2013:113http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/56950http://www.ubuntu.com/usn/USN-2099-1https://bugzilla.redhat.com/show_bug.cgi?id=884354https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0032
2013-01-04
Published