Mark Jenkins

Information Technology Contractor

By

Plone CVE-2011-0720 details

This was originally posted on the Full Disclosure mailing list, April 17, 2011.


This is in regards to CVE-2011-0720, a Plone vulnerability announced in early February.
http://plone.org/products/plone/security/advisories/cve-2011-0720

As noted on http://www.securityfocus.com/bid/46102/exploit
“An attacker can exploit this issue using a browser.”

To fill in a few more details:

Plone is implemented with Zope — an object oriented system web application framework. Many Zope objects can be referenced by url of a file system like hierarchy formed by object names. Methods of such objects are thus addressable as /path_to_parent_object/path_to_object/name_of_method . Arguments as listed in these function definitions co-respond to field names as per standard URL encoding (http://en.wikipedia.org/wiki/Percent-encoding.

Object paths consist of object names and are not necessarily related by type. To search by object type, use the find feature in the Zope Management Interface.

I studied the released hotfix and documented co-responding patches in the subversion repositories that were slated to go into Plone 4.0.4 . (easier than reading the hotfix)
http://dl.dropbox.com/u/16487130/plone_4.0.4_security_patches.txt

Used the Zope Management Interface find feature in my own test deployment of Plone 4.0.3 to find objects of the affected types.

Searching for type “Pluggable Auth Service” (PAS) as patched by http://dev.plone.org/collective/changeset/232213 was most fruitful. On default Plone installations a PAS can be found in /acl_users/ for each installed site.

The exposed getUsers and userSetPassword methods are a fairly dangerous combination that can be exploited by anonymous attackers. Other functions are of more limited value or require stronger permissions.

These methods are also listed in the log checker
http://plone.org/products/plone-hotfix/releases/CVE-2011-0720/logchecker.py
but with the /acl_users/ part absent.

— End Details —

On the matter of disclosure gap and necessary capabilities:

I spent around 16 waking hours and 26 clock hours to go from having seen the original vulnerability announcement to exploiting. This is in my guess a high upper bound for the capabilities required to go from “vuln” to “sploit”.

I had only user-level prior familiarity with Plone and no prior familiarity with Zope.

To test if someone else could reasonably translate these public vulnerability details into an exploit, I presented the basic knowledge of Zope URL based invocation and how I found /acl_users/, and pointed to the above relevant patch over the course of 2 hours at a
competition/talk on March 19th. Another individual was able to identify the appropriate function name and arguments with an additional hour, escalated to an administrator account, and vandalized a test site running for the occasion.
http://www.skullspace.ca/blog/2011/03/hackathon-4-was-a-huge-success/

I regret that a recording was not made despite best efforts and that my slides are of such limited detail to not warrant publication.
(this email has way more useful information)

Though both myself and the other individual have programming backgrounds, I guess that a moderately determined individual without such capabilities could also close the disclosure gap.

The crucial step of finding /acl_users/ with the find feature in ZMI is an interactive, “play and use”, kind of step. Finding the relevant function name is a matter of reading. The direct relationship between the method names and argument names with the URLs is spelled out in multiple Zope tutorials.

Correct me if I’m wrong, but I believe this post is the first public comment to go beyond the patches, hotfix, and logchecker released by the Plone foundation.

Mark Jenkins

p.s.

In the end, not quite:
“you’ll have 30 minutes before the exploit worms start knocking on
doors, I say.”
http://weblion.psu.edu/chatlogs/%23plone/2011/02/02.txt

But probably not
“I have doubts if there will be an exploit script ever”
http://weblion.psu.edu/chatlogs/%23plone/2011/02/09.txt
anymore…