search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.49k stars 1.25k forks source link

Wordpress TimThumb 2.8.13 WebShot Remote Code Execution #506

Closed fgeek closed 10 years ago

fgeek commented 10 years ago

http://seclists.org/fulldisclosure/2014/Jun/117

ethicalhack3r commented 10 years ago

Nice!!

I think this is only exploitable when the 'webshot feature' is enabled and it is disabled by default.

From the FD post: ** This WebShot feature is DISABLED by default.

And in the timbthumb.php code: https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#114

I wonder if many devs enable this feature...

pvdl commented 10 years ago

Yeah Nice!! Did a grep for themify plugins which we have in our db

grep themify theme_vulns.xml 
      <title>Pinboard - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>iThemes2 - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Suco - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Elemin - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Folo - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Bloggie - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Blogfolio - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Flatshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Magazine - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Parallax - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Bold - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Metro - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Pinshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Agency - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Slide - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Postline - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Fulscreen - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Shopo - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Minshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Notes - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Shopdock - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Phototouch - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Basic - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Responz - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Simfo - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Grido - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Tisa - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Funki - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Minblr - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Newsy - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Wumblr - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Rezo - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Photobox - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Edmin - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Koi - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Bizco - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Thememin - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Wigi - themify-ajax.php File Upload Arbitrary Code Execution</title>
      <title>Sidepane - themify-ajax.php File Upload Arbitrary Code Execution</title>
pvdl commented 10 years ago

Example of a Theme title for the db could be:

<title>Parallax - If "WebShot" is enabled then remote code execution vulnerability</title>

I'll try to see if I can get access to these themes online because the mentioned themes are premium themes. There are some with a FPD, so it is possible to check if this file is available: wp-content/themes/_name of the theme_/themify/img.php

BTW It would be nice if there is a possibility to check remotely if feature WebShot is enabled.

firefart commented 10 years ago

@pvdl https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#301

if($this->param('webshot')){
    if(WEBSHOT_ENABLED){
        $this->debug(3, "webshot param is set, so we're going to take a webshot.");
        $this->serveWebshot();
    } else {
        $this->error("You added the webshot parameter but webshots are disabled on this server. You need to set WEBSHOT_ENABLED == true to enable webshots.");
    }
}

So you should get an error if webshot is disabled. Haven't tried this, only found by looking at the source code.

fgeek commented 10 years ago

At least people do enable that feature..

https://github.com/search?q=WEBSHOT_ENABLED%27%2C+true&ref=searchresults&type=Code

anantshri commented 10 years ago

I suppose the correct query should be https://github.com/search?q=%22WEBSHOT_ENABLED%27%2C+true%22&type=Code&ref=searchresults which brings down the result drastically.

fgeek commented 10 years ago

I can submit issues to those projects.

ethicalhack3r commented 10 years ago

I think our current Timthumb enumeration will cover this? By attempting to detect the Timthumb file? https://github.com/wpscanteam/wpscan/blob/master/data/timthumbs.txt

erwanlr commented 10 years ago

Someone managed to exploit this locally ?

erwanlr commented 10 years ago

Ok, done.

FYI: all the payload urls from the advisories are wrong so far

erwanlr commented 10 years ago

Every timthumbs >=2.0 and < 2.8.14 which does not respond with something like 'You added the webshot parameter but webshots are disabled on this server. You need to set WEBSHOT_ENABLED == true to enable webshots.' is flagged as vulnerable

Furthermore, to exploit this vuln, an allowed domain (flickr.com, picasa.com, img.youtube.com and upload.wikimedia.org were the common ones between the versions) has to be used the src parameter (the same domain than the target DOES NOT work despite what I found in the advisories ..)

erwanlr commented 10 years ago

Example of output:

[+] We found 4 timthumb file/s:

[+] http://wp.local/wordpress-3.9.1/wp-content/plugins/timthumbs/2.8.13-ws-enabled.php v2.8.13

[!] Title: Timthumb <= 2.8.13 WebShot Remote Code Execution
    Reference: http://seclists.org/fulldisclosure/2014/Jun/117
[i] Fixed in: 2.8.14

[+] http://wp.local/wordpress-3.9.1/wp-content/plugins/timthumbs/1.32.php v1.32

[!] Title: Timthumb <= 1.32 Remote Code Execution
    Reference: http://www.exploit-db.com/exploits/17602/
[i] Fixed in: 1.33

[+] http://wp.local/wordpress-3.9.1/wp-content/plugins/timthumbs/2.8.14.php v2.8.14

[+] http://wp.local/wordpress-3.9.1/wp-content/plugins/timthumbs/2.8.13-ws-disabled.php v2.8.13
erwanlr commented 10 years ago

Also, if someone has an up-to-date list of timthumbs location, it would be great

/spam

firefart commented 10 years ago

:+1:

firefart commented 10 years ago

https://github.com/search?q=user%3Awp-plugins+%22TimThumb+by+Ben+Gillbanks+and+Mark+Maunder%22&type=Code&ref=searchresults

I just searched by the License header of the file

ethicalhack3r commented 10 years ago

From my blog's access logs - https://gist.github.com/wpvulndb/9b17d2e95f5675e1a2a1

erwanlr commented 10 years ago

These urls are blind check, I wasn't able to find a simple real thimthumb file in 10 random plugins mentioned :/