Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Bookfresh Tricky File Upload Bypass To RCE

    Încărcat de

    api-279898993
    292 vizualizări5 pagini
    The document describes a vulnerability the author found in Bookfresh's file upload functionality that allowed for remote code execution. They were able to bypass image validation done by PHP-GD functions by injecting PHP code into the hex values of a GIF image that remained the same after conversion. This allowed the code to execute when the image was uploaded. The author disclosed the issue to Square, who paid a bounty after fixing it based on the author's recommendations.

    Descriere originală:

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    The document describes a vulnerability the author found in Bookfresh's file upload functionality that allowed for remote code execution. They were able to bypass image validation done by PHP-GD functions by injecting PHP code into the hex values of a GIF image that remained the same after conversion. This allowed the code to execute when the image was uploaded. The author disclosed the issue to Square, who paid a bounty after fixing it based on the author's recommendations.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    292 vizualizări5 pagini

    Bookfresh Tricky File Upload Bypass To RCE

    Încărcat de

    api-279898993
    The document describes a vulnerability the author found in Bookfresh's file upload functionality that allowed for remote code execution. They were able to bypass image validation done by PHP-GD functions by injecting PHP code into the hex values of a GIF image that remained the same after conversion. This allowed the code to execute when the image was uploaded. The author disclosed the issue to Square, who paid a bounty after fixing it based on the author's recommendations.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 5

    Helloall

    todayimgoingtowriteaboutaninterestingvulnerabilityivefoundinSquaresAcquisition
    website

    bookfresh.com
    thatwasescalatedtoremotecodeexecution.

    thestorystartedwhenisawthatBookfreshbecameapartofSquarebugbountyprogramat
    Hackerone
    .idecidedtotakealookatandstartfindingsomevulnerabilities.ivefoundthat
    thewebsiteisvulnerabletomanyXSSbutiwaslookingforsomethingbiggerlikeSql
    InjectionorRCE.

    sowhileiwascheckingforsqlinjectionbugsinavigatedtotheprofilepageandfoundthereis
    afileuploadformtouploadyourprofilephoto.atthefirstmomentididntexpecttofindany
    vulnerabilityinthatuploadfunctionalitybutidecidedtogiveitatrymaybeicouldbelucky.

    iuploadedajpgimagefilewhileinterceptingthehttprequestthenichangedthefilename
    extensionfromjpgtophpandforwardedtherequest.isurprisedthattheimagewas
    uploadedwiththephpextension.ididntbelievemyeyessoicopiedtheimagelinkand
    openeditinthebrowser.itdisplayedtheimagebinarydataasyouwereopeningtheimagein
    atexteditorwhichmeansitwassuccessfullyexecutedasphpscriptandtheresponse
    contenttypewassettotext/html

    sothisisasimpleanddirectfileuploadbypass,right ?

    allihavetodoistoinjectmyphpcodeinthejpgfileandgetfastremotecodeexecution.soi
    usedasimplephpcode
    <?
    phpinfo
    ()?>
    andinjecteditintotheEXIFheadersofjpgimage
    thenuploadedtheimagebutwhenivieweditagainnophpcodewasexecutedandnothing
    happened!

    soisavedtheimagetomycomputerandexecutedstringscommandtoseeifitstillhavethe
    phpinfo()
    code,howevertheresultsreturnednone!!

    ItturnedoutthatallEXIFmetadatawasdeletedfromtheimageafteruploadingittotheserver
    andtheimagewasconvertedusingthe
    GD
    libraryinphpusingthe
    imagecreatefromjpeg()
    function.

    sothisseemsnotexploitableusingexifdata,butwhatwillhappenifiinjectedmyphpcode
    intotheimagedataitselfnottheEXIFmetadata?ithoughtthatwouldwork!soitriedtoopen
    thejpgfileandinjectthephpcodeattheendofthefileasthefollowing

    theimagewasstillvalidandworkingonmycomputer,afterthatiuploadedtheimagefile

    1.jpg

    buttheresultswaslikethefollowing:


    itdisplayederrormessage

    Filemustbeavalidimage(.gif,.jpg,.jpeg,or.png)
    ,iwas
    surprisedhowitdetectedthattheimagewasntvalidimagewhiletheimageisworkingonmy
    computersoitriedwithsomeotherjpgfilesanditturnedoutthatmodifyingasinglecharacter
    inanyofthosejpgimageswontbeacceptedbyphpgdlibraryasavalidimageandwillnot
    beuploaded.

    afterthatitriedthesamethingwithgifimageanditworkedlikeacharmandtheimagewas
    uploadedsuccessfullywithoutthrowinganyerrors,butwhenitriedtochecktheimageafter
    uploadingit.ifoundthatmyphpcodewastotallyremovedfromit

    itriedagaintoinjectthephpcodeintoothergifimagesandindifferentplacesintheimage
    butthephpcodewasgettingremovedafteruploadingit.
    thatlookstotallyunexploitable,butimonlyonestepawayfromgettingRCE,soishouldfind
    awaytouploadmyimagewiththeinjectedphpcodeandbypassthe
    imagecreatefromgif()
    function.idontknowalotaboutimageprocessingandhowthephpGDworksbutitriedto
    dothatwithsimpleoldschoolway.

    icamewithanideatocomparethegifimagesbeforeandafteritgetconvertedusingphpgd
    andsearchforanysimilaritybetweenthem,soififindasimilarpartintheoriginalfilethat
    waskeptalsoafterconvertingusingthephpgdthenicaninjectmyphpcodeinthatpartand
    getRCE

    idecidedtotrythis,soicodedapythonscriptthatwillcomparetheimagesbeforeandafter
    convertingandcheckforanysimilaritybetweenthem.thenisearchedinmycomputerforall
    thegifimagesandcopiedthemallinonefolder,afterwardsiwroteaphpscriptthatwilltake
    allthegifimagesinthatfolderandregeneratethemusingthephpgd
    imagecreatefromgif()
    functionandsavethemintoanotherfolder
    theniusedthepythonscripttocomparethefilesandcheckforanysimilar13byteswhichwill
    bethelengthof
    <?
    phpinfo()
    ?>
    intheoriginalandtheconvertedgifimagefiles,andthe
    resultswasreallyawesome ,ivefoundgifimagewithabigsimilaritiesafteritwas
    convertedusingphpgd.

    thevalueswererepresentedinhex,soiopenedtheoriginalimagefileusingahexeditorand
    searchedforaoneofthosematchedvalues
    3b45d00ceade0c1a3f0e18aff1
    andmodifiedit
    to
    <?
    phpinfo
    ()?>
    ,savedthefileandconverteditwithphpgdthenthencheckedthestrings
    inthefile.
    andguesswhat?
    thephpcodewasstillthere

    iuploadedthegifimagetobookfreshandthatwastheresult


    phpcodeexecutedsuccessfullyandivegotRCE

    thetricksuccessfullydefeatedthePHPGD
    getimagesize()
    and

    imagecreatefromgif()
    functionsthatareusedbymanywebdevelopersnowdaystovalidateimageuploads.

    ivereportedthevulnerabilitytosquaresecurityteamtheyreleasedafastfixforthe
    vulnerabilitybutiwasabletobypassitagainsoigavethemmyrecommendationsfora
    completefixandtheyapplieditandpaidmeaverynicebountyforthisbug

    S-ar putea să vă placă și