Documente Academic
Documente Profesional
Documente Cultură
todayimgoingtowriteaboutaninterestingvulnerabilityivefoundinSquaresAcquisition
website
bookfresh.com
thatwasescalatedtoremotecodeexecution.
thestorystartedwhenisawthatBookfreshbecameapartofSquarebugbountyprogramat
Hackerone
.idecidedtotakealookatandstartfindingsomevulnerabilities.ivefoundthat
thewebsiteisvulnerabletomanyXSSbutiwaslookingforsomethingbiggerlikeSql
InjectionorRCE.
sowhileiwascheckingforsqlinjectionbugsinavigatedtotheprofilepageandfoundthereis
afileuploadformtouploadyourprofilephoto.atthefirstmomentididntexpecttofindany
vulnerabilityinthatuploadfunctionalitybutidecidedtogiveitatrymaybeicouldbelucky.
iuploadedajpgimagefilewhileinterceptingthehttprequestthenichangedthefilename
extensionfromjpgtophpandforwardedtherequest.isurprisedthattheimagewas
uploadedwiththephpextension.ididntbelievemyeyessoicopiedtheimagelinkand
openeditinthebrowser.itdisplayedtheimagebinarydataasyouwereopeningtheimagein
atexteditorwhichmeansitwassuccessfullyexecutedasphpscriptandtheresponse
contenttypewassettotext/html
sothisisasimpleanddirectfileuploadbypass,right ?
allihavetodoistoinjectmyphpcodeinthejpgfileandgetfastremotecodeexecution.soi
usedasimplephpcode
<?
phpinfo
()?>
andinjecteditintotheEXIFheadersofjpgimage
thenuploadedtheimagebutwhenivieweditagainnophpcodewasexecutedandnothing
happened!
soisavedtheimagetomycomputerandexecutedstringscommandtoseeifitstillhavethe
phpinfo()
code,howevertheresultsreturnednone!!
ItturnedoutthatallEXIFmetadatawasdeletedfromtheimageafteruploadingittotheserver
andtheimagewasconvertedusingthe
GD
libraryinphpusingthe
imagecreatefromjpeg()
function.
sothisseemsnotexploitableusingexifdata,butwhatwillhappenifiinjectedmyphpcode
intotheimagedataitselfnottheEXIFmetadata?ithoughtthatwouldwork!soitriedtoopen
thejpgfileandinjectthephpcodeattheendofthefileasthefollowing
theimagewasstillvalidandworkingonmycomputer,afterthatiuploadedtheimagefile
1.jpg
buttheresultswaslikethefollowing:
itdisplayederrormessage
Filemustbeavalidimage(.gif,.jpg,.jpeg,or.png)
,iwas
surprisedhowitdetectedthattheimagewasntvalidimagewhiletheimageisworkingonmy
computersoitriedwithsomeotherjpgfilesanditturnedoutthatmodifyingasinglecharacter
inanyofthosejpgimageswontbeacceptedbyphpgdlibraryasavalidimageandwillnot
beuploaded.
afterthatitriedthesamethingwithgifimageanditworkedlikeacharmandtheimagewas
uploadedsuccessfullywithoutthrowinganyerrors,butwhenitriedtochecktheimageafter
uploadingit.ifoundthatmyphpcodewastotallyremovedfromit
itriedagaintoinjectthephpcodeintoothergifimagesandindifferentplacesintheimage
butthephpcodewasgettingremovedafteruploadingit.
thatlookstotallyunexploitable,butimonlyonestepawayfromgettingRCE,soishouldfind
awaytouploadmyimagewiththeinjectedphpcodeandbypassthe
imagecreatefromgif()
function.idontknowalotaboutimageprocessingandhowthephpGDworksbutitriedto
dothatwithsimpleoldschoolway.
icamewithanideatocomparethegifimagesbeforeandafteritgetconvertedusingphpgd
andsearchforanysimilaritybetweenthem,soififindasimilarpartintheoriginalfilethat
waskeptalsoafterconvertingusingthephpgdthenicaninjectmyphpcodeinthatpartand
getRCE
idecidedtotrythis,soicodedapythonscriptthatwillcomparetheimagesbeforeandafter
convertingandcheckforanysimilaritybetweenthem.thenisearchedinmycomputerforall
thegifimagesandcopiedthemallinonefolder,afterwardsiwroteaphpscriptthatwilltake
allthegifimagesinthatfolderandregeneratethemusingthephpgd
imagecreatefromgif()
functionandsavethemintoanotherfolder
theniusedthepythonscripttocomparethefilesandcheckforanysimilar13byteswhichwill
bethelengthof
<?
phpinfo()
?>
intheoriginalandtheconvertedgifimagefiles,andthe
resultswasreallyawesome ,ivefoundgifimagewithabigsimilaritiesafteritwas
convertedusingphpgd.
thevalueswererepresentedinhex,soiopenedtheoriginalimagefileusingahexeditorand
searchedforaoneofthosematchedvalues
3b45d00ceade0c1a3f0e18aff1
andmodifiedit
to
<?
phpinfo
()?>
,savedthefileandconverteditwithphpgdthenthencheckedthestrings
inthefile.
andguesswhat?
thephpcodewasstillthere
iuploadedthegifimagetobookfreshandthatwastheresult
phpcodeexecutedsuccessfullyandivegotRCE
thetricksuccessfullydefeatedthePHPGD
getimagesize()
and
imagecreatefromgif()
functionsthatareusedbymanywebdevelopersnowdaystovalidateimageuploads.
ivereportedthevulnerabilitytosquaresecurityteamtheyreleasedafastfixforthe
vulnerabilitybutiwasabletobypassitagainsoigavethemmyrecommendationsfora
completefixandtheyapplieditandpaidmeaverynicebountyforthisbug