bookfresh tricky file upload bypass to rce
TRANSCRIPT
-
HelloalltodayimgoingtowriteaboutaninterestingvulnerabilityivefoundinSquaresAcquisitionwebsitebookfresh.comthatwasescalatedtoremotecodeexecution.thestorystartedwhenisawthatBookfreshbecameapartofSquarebugbountyprogramatHackerone.idecidedtotakealookatandstartfindingsomevulnerabilities.ivefoundthatthewebsiteisvulnerabletomanyXSSbutiwaslookingforsomethingbiggerlikeSqlInjectionorRCE.sowhileiwascheckingforsqlinjectionbugsinavigatedtotheprofilepageandfoundthereisafileuploadformtouploadyourprofilephoto.atthefirstmomentididntexpecttofindanyvulnerabilityinthatuploadfunctionalitybutidecidedtogiveitatrymaybeicouldbelucky.iuploadedajpgimagefilewhileinterceptingthehttprequestthenichangedthefilenameextensionfromjpgtophpandforwardedtherequest.isurprisedthattheimagewasuploadedwiththephpextension.ididntbelievemyeyessoicopiedtheimagelinkandopeneditinthebrowser.itdisplayedtheimagebinarydataasyouwereopeningtheimageinatexteditorwhichmeansitwassuccessfullyexecutedasphpscriptandtheresponsecontenttypewassettotext/htmlsothisisasimpleanddirectfileuploadbypass,right ?allihavetodoistoinjectmyphpcodeinthejpgfileandgetfastremotecodeexecution.soiusedasimplephpcodeandinjecteditintotheEXIFheadersofjpgimagethenuploadedtheimagebutwhenivieweditagainnophpcodewasexecutedandnothinghappened!soisavedtheimagetomycomputerandexecutedstringscommandtoseeifitstillhavethephpinfo()code,howevertheresultsreturnednone!!
-
ItturnedoutthatallEXIFmetadatawasdeletedfromtheimageafteruploadingittotheserverandtheimagewasconvertedusingtheGDlibraryinphpusingtheimagecreatefromjpeg()function.sothisseemsnotexploitableusingexifdata,butwhatwillhappenifiinjectedmyphpcodeintotheimagedataitselfnottheEXIFmetadata?ithoughtthatwouldwork!soitriedtoopenthejpgfileandinjectthephpcodeattheendofthefileasthefollowing
theimagewasstillvalidandworkingonmycomputer,afterthatiuploadedtheimagefile1.jpgbuttheresultswaslikethefollowing:
-
itdisplayederrormessageFilemustbeavalidimage(.gif,.jpg,.jpeg,or.png),iwassurprisedhowitdetectedthattheimagewasntvalidimagewhiletheimageisworkingonmycomputersoitriedwithsomeotherjpgfilesanditturnedoutthatmodifyingasinglecharacterinanyofthosejpgimageswontbeacceptedbyphpgdlibraryasavalidimageandwillnotbeuploaded.afterthatitriedthesamethingwithgifimageanditworkedlikeacharmandtheimagewasuploadedsuccessfullywithoutthrowinganyerrors,butwhenitriedtochecktheimageafteruploadingit.ifoundthatmyphpcodewastotallyremovedfromit itriedagaintoinjectthephpcodeintoothergifimagesandindifferentplacesintheimagebutthephpcodewasgettingremovedafteruploadingit.thatlookstotallyunexploitable,butimonlyonestepawayfromgettingRCE,soishouldfindawaytouploadmyimagewiththeinjectedphpcodeandbypasstheimagecreatefromgif()function.idontknowalotaboutimageprocessingandhowthephpGDworksbutitriedtodothatwithsimpleoldschoolway.icamewithanideatocomparethegifimagesbeforeandafteritgetconvertedusingphpgdandsearchforanysimilaritybetweenthem,soififindasimilarpartintheoriginalfilethatwaskeptalsoafterconvertingusingthephpgdthenicaninjectmyphpcodeinthatpartandgetRCEidecidedtotrythis,soicodedapythonscriptthatwillcomparetheimagesbeforeandafterconvertingandcheckforanysimilaritybetweenthem.thenisearchedinmycomputerforallthegifimagesandcopiedthemallinonefolder,afterwardsiwroteaphpscriptthatwilltakeallthegifimagesinthatfolderandregeneratethemusingthephpgdimagecreatefromgif()functionandsavethemintoanotherfoldertheniusedthepythonscripttocomparethefilesandcheckforanysimilar13byteswhichwillbethelengthofintheoriginalandtheconvertedgifimagefiles,andtheresultswasreallyawesome ,ivefoundgifimagewithabigsimilaritiesafteritwasconvertedusingphpgd.
-
thevalueswererepresentedinhex,soiopenedtheoriginalimagefileusingahexeditorandsearchedforaoneofthosematchedvalues3b45d00ceade0c1a3f0e18aff1andmodifieditto,savedthefileandconverteditwithphpgdthenthencheckedthestringsinthefile.
andguesswhat?thephpcodewasstillthere iuploadedthegifimagetobookfreshandthatwastheresult
-
phpcodeexecutedsuccessfullyandivegotRCE thetricksuccessfullydefeatedthePHPGDgetimagesize()andimagecreatefromgif()functionsthatareusedbymanywebdevelopersnowdaystovalidateimageuploads.ivereportedthevulnerabilitytosquaresecurityteamtheyreleasedafastfixforthevulnerabilitybutiwasabletobypassitagainsoigavethemmyrecommendationsforacompletefixandtheyapplieditandpaidmeaverynicebountyforthisbug