ImageMagick vulnerability in Wordpress4. 5. 1 The above use-vulnerability warning-the black bar safety net

ID MYHACK58:62201676314
Type myhack58
Reporter 乘物游心
Modified 2016-06-27T00:00:00


0x00 ImageMagick vulnerability analysis

About ImageMagick vulnerability detailed analysis, phith0n has been in tick aboveImageNagick vulnerability Points allowedhas been for this vulnerability were described in detail. I this article is primarily directed to the ImageMagick vulnerability in Wordpress above the remote command execution will be described.

0x01 ImageMagick in wordpress4. 5. 1 in use

Of course, ImageMagick how to wordpress4. 5. 1 The use of the above, also someone wrote a very detailed description. Specific can refer tothis article. And my experiment is based on the top of this post to be tested. But this article will be mainly described in the above in this article, The authors do not detail the places to be interpreted as well as my own thinking.

0x02 ImageMagick in wordpress4. 5. 1 The above practice

Ensure that ImageMgacik has been installed

wordpress4. 5. 1. The default is to use the ImageMagick library to process images, but the premise is must be in your server(herein the server refer to theLinux server)the above installed php imageick extension, which is very important. Before I was just in my server that you installed the ImageMagick with this library, but I didn't install imageick this library, cause I never able to use successfully. As for how the server is mounted on top of this library, theinstall imagick extensionthere are described in detail. If the server is Debian or ubuntu, you can use the apt-get way to install instead of compiling source code to install.

Trigger ImageMagick extension of the implementation

From ricterz of this article, it can be seen need to know ImageMagick in wordpress in point of execution, so to be able to trigger this vulnerability. Finally, through discovery, you can edit the pictures time to trigger this vulnerability. The specific implementation method is also very simple. Actually is mainly divided into 3 steps. Step one: edit the normal picture, obtained after the Edit request link. In fact, this time the wordpress backend is to use ImageMagick for the image processing, because this is a normal picture, so there is no problem. And give of this connection, is used to trigger ImageMgacik to deal with this image of connection. ! Step two: edit with exp pictures, get after the Edit request link. Since in exp. jpg written is a piece of malicious code, not the picture information, resulting in the editing of the time cannot handle this picture, it can not trigger ImageMagick for processing. ! Step three: since wordpress is unable to identify exp. jpg picture, so this is also why we have to deal with a normal picture of the reasons. Processing a normal image request, processing the ImageMagick link that is in step one to take to the links address. The normal connection of _ajax_nonce and postid with exp. jpg in the connection in once and the postid instead. As follows: ! The above is processing the normal image when a link, in which the nonce and the postid into the exp. jpg in the nonce and postid. Then visit this after processing the link, it will trigger in wordpress ImageMagick to handle this exp . jpg request, that could lead to remote command execution. As follows: !

Remote command execution platforms

It is currently online for all the exp it seems that all the command execution seems to be based on thelinux serverto consider, so the execution of the command is linux the above command. So if readers want to conduct this experiment, then, also to ensure your own server is aLinux server, so to be able to ensure that your commands can be in the servers above perform.

0x03 how to effectively use ImageMagick

There was a such vulnerability, from a programmer's perspective, the first thought is whether they have a use to this library, if used how it should be repaired. From a white hat perspective, then think of is how am I supposed to be able to site large-scale analysis, to determine whether the existence of this vulnerability. However, it now seems, I myself find a few websites to be tested, all without success, so I think the successful implementation of this vulnerability is relatively difficult, of course, also illustrates my level is really limited. Since this is a picture of vulnerability, then during the test when you need to upload a exp. jpg to be tested, this work is clearly not by a program to automate the completion, it can not be a vulnerability automated scanning. For this exploit use is also not completely displayed, for example, for wordpress, needs to have Author permissions to be able to attack, and Discuz also cannot directly Upload a picture to use, a tick above a lot of loopholes, I think that still most of the white hat to manually test to find out. So I come to the conclusion that although this is a command execution vulnerability, but want to be automated vulnerability scanning or to find a General procedure using vulnerability is still relatively difficult. Even so, for this vulnerability, the programmer still have to be on guard.