From: Roman Medina-Heigl Hernandez To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Subject: [Full-Disclosure] The true story of TWiki vuln (exploit included) Date: Mon, 15 Nov 2004 23:03:36 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ In response to: http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0022.html ] Dear Hans, It is not a commendable action to make people believe that you found a vulnerability which you really have not discovered. I don't know if you did it on purpose. I prefer to believe you didn't but it is reasonable to think that publishing it without *clearly* stating its procedence could lead people to misunderstanding. This thought may be easily strengthen by the fact that you forced an "uncoordinated emergency disclosure" (as read in your advisory) just when I was coordinating my own advisory with Peter Thoeny (main developer and author of TWiki). Exposed facts caused me a sense of indignation so I started to investigate the issue. Before writing this public response, I talked to many different people/sources and different point of views and mails were exchanged. Things got complicated by the fact that you seem to belong to a well-known and reputable security organization (whose name I won't disclose here to avoid any suspicion and to show my respect to it) and your action was (or at least seemed to be) unethical, as recognized by some of the more representative members of your (presumible) organization. To summarize the results and have some semi-impartial view, I have attached a mail from Peter where he publicly explains the timeline followed in the disclosure (judge by yourself). He also drops some personal thoughts which I don't necessarily share. Btw, mine are: 1) Peter didn't know how to coordinate the issue or at least he was not fast enough. 2) Hans rushed the publication of the advisory and masked it, perhaps in the mood for fame (last comment is subjective). 3) As result of 1+2, Hans and me couldn't meet before all this mess, which would have been avoided almost for sure. I have been accused to have hidden my discovery during aprox. two months with presumibly obscure purposes. Well, it is true that I knew about the discussed issues for that time, but my reasons have been completely disrupted. *I don't have anything to hide*. I'm an independant researcher and I like researching vulnerabilities only for fun. I also like to spend my time and enjoy my spare time without any hurry. Apart from this, believe it or not, but I have been very busy during past months. For instance, in past two months I got married with a lovely girl, went to honey-moon... Don't want to know all the details, eh? :-) Strictly speaking about computers, I'm also involved in other projects and to be honest, TWiki was/is not prioritary to me (I was looking for a WikiWiki software to use; when I accidentally discovered the backsticks bug, I fastly switched to consider other similar software like Phpwiki). I consider myself as a pro full-disclosure man and I like to publish my works. But Peter, don't go wrong by blaming me of the hack of two machines due to my delayed disclosure: *full disclosure is a privilege, not a right for any developer*. Full-disclosers often invest their time in helping community to enhace the security of many applications and/or fixing bugs _the developers commit_. Something similar applies to you, Hans: running a 2.4.20 kernel is not precisely what I'd call a good job for a responsible and/or security-conscious sys-admin... It's funny to read Peter's statement: "The vulnerability was known to Roman for 2 month, but he did=20 not inform the TWiki developers. _Damage on two sites could have been prevented._". Apart from my personal reasons (which I already explained), it's easy to refute and rewrite your paragraph: "TWiki developers wrote buggy code. _Damage on two sites could have been prevented if they had known basic principles about security". Haven't you think about that possibility? Sorry, guys but once again, judge for yourself ;-) Moreover, I've just received a phone call some minutes ago stating that TWiki vulnerability was known for at least 1 year!! Woo!! If that is true, it would mean that other people independently discovered the same vulnerability before me, fact which doesn't surprise me, taking into account the silly and simple nature of the bug. Anybody could have discover it. I'm not particularly proud of my research in TWiki, it doesn't require very high skills. Not at all, indeed. But one of the things that sicken me is people getting credits that they don't deserve. That's the main reason of this post. Having said that, and for the rest of people who doesn't know what's this story about, forget it and enjoy the attached exploit. It's beta but it works (against TWiki "BeijingRelease" [1]; I did a quick test against "CairoRelease" [2] and it doesn't work for it). Proxy and HTTP auth is supported. Win32/Unix compatible. And please remember: use at your own risk. Finally, I'd like to clearly state that I take no responsibility of any hacked machine due to this bug being exploited, in the past, present or future. I don't approve/support the hack of any machine, including machines belonging to certain referred organization and/or administered by Hans Ulrich. I like researching and writing exploits for fun. But attacking machines... simply it's not my style. That's all I have to say about this issue. I won't enter any flame war and I will not respond to any post regarding this matter, either. PS: References: [1] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Feb2003. [2] http://twiki.org/cgi-bin/view/Codev/TWikiRelease01Sep2004 Cheers, --Roman - -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBQZ5It+R/in3q1WdCEQKbUgCbBI2wRo47dVvtv13YGWxFAyD+YxUAn1jw 44urqdliXRIepdXdzIdk40xH =2kVS -----END PGP SIGNATURE-----