Closed fgeek closed 10 years ago
Nice!!
I think this is only exploitable when the 'webshot feature' is enabled and it is disabled by default.
From the FD post: ** This WebShot feature is DISABLED by default.
And in the timbthumb.php code: https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#114
I wonder if many devs enable this feature...
Yeah Nice!! Did a grep for themify plugins which we have in our db
grep themify theme_vulns.xml
<title>Pinboard - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>iThemes2 - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Suco - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Elemin - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Folo - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Bloggie - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Blogfolio - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Flatshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Magazine - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Parallax - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Bold - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Metro - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Pinshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Agency - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Slide - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Postline - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Fulscreen - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Shopo - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Minshop - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Notes - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Shopdock - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Phototouch - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Basic - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Responz - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Simfo - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Grido - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Tisa - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Funki - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Minblr - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Newsy - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Wumblr - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Rezo - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Photobox - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Edmin - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Koi - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Bizco - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Thememin - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Wigi - themify-ajax.php File Upload Arbitrary Code Execution</title>
<title>Sidepane - themify-ajax.php File Upload Arbitrary Code Execution</title>
Example of a Theme title for the db could be:
<title>Parallax - If "WebShot" is enabled then remote code execution vulnerability</title>
I'll try to see if I can get access to these themes online because the mentioned themes are premium themes. There are some with a FPD, so it is possible to check if this file is available: wp-content/themes/_name of the theme_/themify/img.php
BTW It would be nice if there is a possibility to check remotely if feature WebShot is enabled.
@pvdl https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php#301
if($this->param('webshot')){
if(WEBSHOT_ENABLED){
$this->debug(3, "webshot param is set, so we're going to take a webshot.");
$this->serveWebshot();
} else {
$this->error("You added the webshot parameter but webshots are disabled on this server. You need to set WEBSHOT_ENABLED == true to enable webshots.");
}
}
So you should get an error if webshot is disabled. Haven't tried this, only found by looking at the source code.
At least people do enable that feature..
https://github.com/search?q=WEBSHOT_ENABLED%27%2C+true&ref=searchresults&type=Code
I suppose the correct query should be https://github.com/search?q=%22WEBSHOT_ENABLED%27%2C+true%22&type=Code&ref=searchresults which brings down the result drastically.
I can submit issues to those projects.
I think our current Timthumb enumeration will cover this? By attempting to detect the Timthumb file? https://github.com/wpscanteam/wpscan/blob/master/data/timthumbs.txt
Someone managed to exploit this locally ?
Ok, done.
FYI: all the payload urls from the advisories are wrong so far
Every timthumbs >=2.0 and < 2.8.14 which does not respond with something like 'You added the webshot parameter but webshots are disabled on this server. You need to set WEBSHOT_ENABLED == true to enable webshots.' is flagged as vulnerable
Furthermore, to exploit this vuln, an allowed domain (flickr.com, picasa.com, img.youtube.com and upload.wikimedia.org were the common ones between the versions) has to be used the src parameter (the same domain than the target DOES NOT work despite what I found in the advisories ..)
Example of output:
[+] We found 4 timthumb file/s:
[+] http://wp.local/wordpress-3.9.1/wp-content/plugins/timthumbs/2.8.13-ws-enabled.php v2.8.13
[!] Title: Timthumb <= 2.8.13 WebShot Remote Code Execution
Reference: http://seclists.org/fulldisclosure/2014/Jun/117
[i] Fixed in: 2.8.14
[+] http://wp.local/wordpress-3.9.1/wp-content/plugins/timthumbs/1.32.php v1.32
[!] Title: Timthumb <= 1.32 Remote Code Execution
Reference: http://www.exploit-db.com/exploits/17602/
[i] Fixed in: 1.33
[+] http://wp.local/wordpress-3.9.1/wp-content/plugins/timthumbs/2.8.14.php v2.8.14
[+] http://wp.local/wordpress-3.9.1/wp-content/plugins/timthumbs/2.8.13-ws-disabled.php v2.8.13
Also, if someone has an up-to-date list of timthumbs location, it would be great
/spam
:+1:
I just searched by the License header of the file
From my blog's access logs - https://gist.github.com/wpvulndb/9b17d2e95f5675e1a2a1
These urls are blind check, I wasn't able to find a simple real thimthumb file in 10 random plugins mentioned :/
http://seclists.org/fulldisclosure/2014/Jun/117