Upload File

bookfresh tricky file upload bypass to rce

5
 Hello all today i’m going to write about an interesting vulnerability i’ve found in Square’s Acquisition website bookfresh.com that was escalated to remote code execution. the story started when i saw that Bookfresh became a part of Square bug bounty program at Hackerone .i decided to take a look at and start finding some vulnerabilities . i’ve found that the website is vulnerable to many XSS but i was looking for something bigger like Sql Injection or RCE. so while i was checking for sql injection bugs i navigated to the profile page and found there is a file upload form to upload your profile photo . at the first moment i didn’t expect to find any vulnerability in that upload functionality but i decided to give it a try maybe i could be lucky. i uploaded a jpg image file while intercepting the http request then i changed the filename extension from jpg to php and forwarded the request. i surprised that the image was uploaded with the php extension. i didn’t believe my eyes so i copied the image link and opened it in the browser. it displayed the image binary data as you were opening the image in a text editor which means it was successfully executed as php script and the response content-type was set to text/html so this is a simple and direct file upload bypass, right ? all i have to do is to inject my php code in the jpg file and get fast remote code execution . so i used a simple php code <? phpinfo  (); ?> and injected it into the EXIF headers of jpg image then uploaded the image but when i viewed it again no php code was executed and nothing happened! so i saved the i mage to my computer and exec uted strings command to see if it still have the phpinfo()  code , however the results returned none !!

Upload: api-279898993

Post on 06-Oct-2015

138 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • HelloalltodayimgoingtowriteaboutaninterestingvulnerabilityivefoundinSquaresAcquisitionwebsitebookfresh.comthatwasescalatedtoremotecodeexecution.thestorystartedwhenisawthatBookfreshbecameapartofSquarebugbountyprogramatHackerone.idecidedtotakealookatandstartfindingsomevulnerabilities.ivefoundthatthewebsiteisvulnerabletomanyXSSbutiwaslookingforsomethingbiggerlikeSqlInjectionorRCE.sowhileiwascheckingforsqlinjectionbugsinavigatedtotheprofilepageandfoundthereisafileuploadformtouploadyourprofilephoto.atthefirstmomentididntexpecttofindanyvulnerabilityinthatuploadfunctionalitybutidecidedtogiveitatrymaybeicouldbelucky.iuploadedajpgimagefilewhileinterceptingthehttprequestthenichangedthefilenameextensionfromjpgtophpandforwardedtherequest.isurprisedthattheimagewasuploadedwiththephpextension.ididntbelievemyeyessoicopiedtheimagelinkandopeneditinthebrowser.itdisplayedtheimagebinarydataasyouwereopeningtheimageinatexteditorwhichmeansitwassuccessfullyexecutedasphpscriptandtheresponsecontenttypewassettotext/htmlsothisisasimpleanddirectfileuploadbypass,right ?allihavetodoistoinjectmyphpcodeinthejpgfileandgetfastremotecodeexecution.soiusedasimplephpcodeandinjecteditintotheEXIFheadersofjpgimagethenuploadedtheimagebutwhenivieweditagainnophpcodewasexecutedandnothinghappened!soisavedtheimagetomycomputerandexecutedstringscommandtoseeifitstillhavethephpinfo()code,howevertheresultsreturnednone!!

  • ItturnedoutthatallEXIFmetadatawasdeletedfromtheimageafteruploadingittotheserverandtheimagewasconvertedusingtheGDlibraryinphpusingtheimagecreatefromjpeg()function.sothisseemsnotexploitableusingexifdata,butwhatwillhappenifiinjectedmyphpcodeintotheimagedataitselfnottheEXIFmetadata?ithoughtthatwouldwork!soitriedtoopenthejpgfileandinjectthephpcodeattheendofthefileasthefollowing

    theimagewasstillvalidandworkingonmycomputer,afterthatiuploadedtheimagefile1.jpgbuttheresultswaslikethefollowing:

  • itdisplayederrormessageFilemustbeavalidimage(.gif,.jpg,.jpeg,or.png),iwassurprisedhowitdetectedthattheimagewasntvalidimagewhiletheimageisworkingonmycomputersoitriedwithsomeotherjpgfilesanditturnedoutthatmodifyingasinglecharacterinanyofthosejpgimageswontbeacceptedbyphpgdlibraryasavalidimageandwillnotbeuploaded.afterthatitriedthesamethingwithgifimageanditworkedlikeacharmandtheimagewasuploadedsuccessfullywithoutthrowinganyerrors,butwhenitriedtochecktheimageafteruploadingit.ifoundthatmyphpcodewastotallyremovedfromit itriedagaintoinjectthephpcodeintoothergifimagesandindifferentplacesintheimagebutthephpcodewasgettingremovedafteruploadingit.thatlookstotallyunexploitable,butimonlyonestepawayfromgettingRCE,soishouldfindawaytouploadmyimagewiththeinjectedphpcodeandbypasstheimagecreatefromgif()function.idontknowalotaboutimageprocessingandhowthephpGDworksbutitriedtodothatwithsimpleoldschoolway.icamewithanideatocomparethegifimagesbeforeandafteritgetconvertedusingphpgdandsearchforanysimilaritybetweenthem,soififindasimilarpartintheoriginalfilethatwaskeptalsoafterconvertingusingthephpgdthenicaninjectmyphpcodeinthatpartandgetRCEidecidedtotrythis,soicodedapythonscriptthatwillcomparetheimagesbeforeandafterconvertingandcheckforanysimilaritybetweenthem.thenisearchedinmycomputerforallthegifimagesandcopiedthemallinonefolder,afterwardsiwroteaphpscriptthatwilltakeallthegifimagesinthatfolderandregeneratethemusingthephpgdimagecreatefromgif()functionandsavethemintoanotherfoldertheniusedthepythonscripttocomparethefilesandcheckforanysimilar13byteswhichwillbethelengthofintheoriginalandtheconvertedgifimagefiles,andtheresultswasreallyawesome ,ivefoundgifimagewithabigsimilaritiesafteritwasconvertedusingphpgd.

  • thevalueswererepresentedinhex,soiopenedtheoriginalimagefileusingahexeditorandsearchedforaoneofthosematchedvalues3b45d00ceade0c1a3f0e18aff1andmodifieditto,savedthefileandconverteditwithphpgdthenthencheckedthestringsinthefile.

    andguesswhat?thephpcodewasstillthere iuploadedthegifimagetobookfreshandthatwastheresult

  • phpcodeexecutedsuccessfullyandivegotRCE thetricksuccessfullydefeatedthePHPGDgetimagesize()andimagecreatefromgif()functionsthatareusedbymanywebdevelopersnowdaystovalidateimageuploads.ivereportedthevulnerabilitytosquaresecurityteamtheyreleasedafastfixforthevulnerabilitybutiwasabletobypassitagainsoigavethemmyrecommendationsforacompletefixandtheyapplieditandpaidmeaverynicebountyforthisbug


CONTENTS 9th Global RCE Conference - RCE NETWORK › portal › sites › default › files › minutes_9t… · RCE Okayama in hosting the 9th Global RCE Conference were gratefully

RCE Capital

Tricky! Tricky!

Youth Network, RCE Bogota

Youth Network, RCE Kano

Tricky bits…

RCE Schottky Photo Detector

Strategic Interventions of an RCE in Environmental Assessment, RCE Saskatchewan, Canada

Tricky questions

Phase 5 Tricky Words Activity Bookletd6vsczyu1rky0.cloudfront.net/.../uploads/2020/04/Phase-5-tricky-wor… · Phase 5 Tricky Words Activity Booklet Name: Read the tricky words and

Tricky Photo

R U N W A Y - Visual Eyes Eyewearveeyewear.com/pdf/2012_11_21/Runway_Catalog.pdf · company history 44 rce-101 rce-102 rce-103 rce-105 rce-104 rce-106 1 runway couture eyewear 53-16-135

Tricky Grammar

Sales training OCS Q2-2012 - Fabel Algériefabel.dz/uploads/files/OpenTouch.pdf · RCE Compact Unit OmniPCX Office RCE Small OmniPCX Office RCE Medium OmniPCX Office RCE Large Communication

TRICKY JOBS

Youth at RCE Thiruvanathatpurman

Youth Interventions, RCE Chennai

Tricky words

Tricky Prepositions

Diablo Next RCE Polo RCE English - druservice.co.uk

Human Resou rce Development

This is ur. ur is a tricky monster. Tricky monsters aren’t naughty- just tricky like you!

Tricky Menu

TRICKY PRACTICE SCENARIOS

RCE Report

LFI to RCE

Phase 5 Tricky Words Activity Booklet...Phase 5 Tricky Words Activity Booklet Name: Read the tricky words and colour the balloons using the clues below. Balloons Tricky Word Colouring

RCE - Yayasan Product Briefing

METAL PUMPS RCE

RCE MICROPROCESSORS & MICROCONTROLLERS LAB

Higher Education RCE Award

RCE Design Portfolio

RCE Greater Nairobi Welcomes you to the 2013 global RCE conference

RCE Singapore (Unabridged)

RCE ASIA-PACIFIC - RCE NETWORK · 2019-12-18 · RCE Asia Pacific youth leaders, Ms Brittany Hardiman from Western Sydney University (RCE Greater Western Sydney) in Australia and