Security breach on the Debian wiki 2012-07-25
The attacker(s) leveraged CVE-2012-6081 to upload a file to the MoinMoin action plugin directory. This file was both a valid tar file (as required by the vulnerable twikidraw plugin) and also valid python code in the form of a MoinMoin action plugin. The file was able to be uploaded because the MoinMoin plugin directory was writable by the wiki WSGI server user. Injection of the code consisted of two HTTP requests:
GET /?action=twikidraw&do=modify&target=../../../plugin/action/moinexec.py POST /?action=twikidraw&do=save&ticket=<snip>&target=../../../plugin/action/moinexec.py
The uploaded MoinMoin action plugin essentially functioned as a backdoor, executing arbitrary commands as the wiki WSGI server user and returning output over HTTP. Executing arbitrary commands consists of single HTTP GET requests, for example:
After installing the backdoor, the attacker(s) did some exploration of the system, attempting to look at shell history, open files, listening daemons, kernel version, log files, anything that might have been sensitive (things matching sec, key, priv) and configuration for the wiki and other daemons. They also looked at the email addresses and password hashes of the Debian wiki user accounts.
The attacker(s) used the Tor network to hide their real IP addresses and location.
It does not appear that the attackers were able to escalate their privileges. The attacker(s) stole the email addresses and password hashes of Debian wiki users. They appeared particularly interested in the password hashes of users from Debian, Intel, Dell, Google, Microsoft, GNU, any .gov and any .edu. Debian wiki users are encouraged to both change their passwords on the Debian wiki (which has been enforced) and on their home institutions (if their password on these institutions and their old password on the wiki are common).
The key that was used for reCAPTCHA was stolen. This key was no longer in use at the time we were notified about this issue.
Firstly, a new server was set up for the wiki to ensure a clean start free of any possible contamination from the attacker(s).
Next, contrary to MoinMoin's default/recommended set-up, we have privilege-separated more of the set-up. Previously, everything was owned and run as a single wiki user. Instead, now files default to be owned and be writeable only by a new wiki admin user while the wsgi is executed as a less privileged user. Only the limited set of files that the wiki needs write access to are writeable by the webserver.
The reCAPTCHA key will be reset if we ever need to use reCAPTCHA again.
- 2012-10-18: First use of the backdoor.
- 2012-10-28: Theft of email addresses, password hashes and reCAPTCHA key.
- 2012-11-09: Last use of the backdoor.
2012-12-28: We are informed about a potential security issue in MoinMoin by the friendly people at dyne.org.
2013-01-03: CVE-2012-6081 advisory released.
2013-01-04: Debian wiki users notified.
2013-01-06: Forensic analysis published.