Bookfresh Tricky File Upload Bypass To RCE

HelloalltodayimgoingtowriteaboutaninterestingvulnerabilityivefoundinSquaresAcquisitionwebsitebookfresh.comthatwasescalatedtoremotecodeexecution.thestorystartedwhenisawthatBookfreshbecameapartofSquarebugbountyprogramatHackerone.idecidedtotakealookatandstartfindingsomevulnerabilities.ivefoundthatthewebsiteisvulnerabletomanyXSSbutiwaslookingforsomethingbiggerlikeSqlInjectionorRCE.sowhileiwascheckingforsqlinjectionbugsinavigatedtotheprofilepageandfoundthereisafileuploadformtouploadyourprofilephoto.atthefirstmomentididntexpecttofindanyvulnerabilityinthatuploadfunctionalitybutidecidedtogiveitatrymaybeicouldbelucky.iuploadedajpgimagefilewhileinterceptingthehttprequestthenichangedthefilenameextensionfromjpgtophpandforwardedtherequest.isurprisedthattheimagewasuploadedwiththephpextension.ididntbelievemyeyessoicopiedtheimagelinkandopeneditinthebrowser.itdisplayedtheimagebinarydataasyouwereopeningtheimageinatexteditorwhichmeansitwassuccessfullyexecutedasphpscriptandtheresponsecontenttypewassettotext/htmlsothisisasimpleanddirectfileuploadbypass,right ?allihavetodoistoinjectmyphpcodeinthejpgfileandgetfastremotecodeexecution.soiusedasimplephpcodeandinjecteditintotheEXIFheadersofjpgimagethenuploadedtheimagebutwhenivieweditagainnophpcodewasexecutedandnothinghappened!soisavedtheimagetomycomputerandexecutedstringscommandtoseeifitstillhavethephpinfo()code,howevertheresultsreturnednone!!

ItturnedoutthatallEXIFmetadatawasdeletedfromtheimageafteruploadingittotheserverandtheimagewasconvertedusingtheGDlibraryinphpusingtheimagecreatefromjpeg()function.sothisseemsnotexploitableusingexifdata,butwhatwillhappenifiinjectedmyphpcodeintotheimagedataitselfnottheEXIFmetadata?ithoughtthatwouldwork!soitriedtoopenthejpgfileandinjectthephpcodeattheendofthefileasthefollowing

theimagewasstillvalidandworkingonmycomputer,afterthatiuploadedtheimagefile1.jpgbuttheresultswaslikethefollowing:

itdisplayederrormessageFilemustbeavalidimage(.gif,.jpg,.jpeg,or.png),iwassurprisedhowitdetectedthattheimagewasntvalidimagewhiletheimageisworkingonmycomputersoitriedwithsomeotherjpgfilesanditturnedoutthatmodifyingasinglecharacterinanyofthosejpgimageswontbeacceptedbyphpgdlibraryasavalidimageandwillnotbeuploaded.afterthatitriedthesamethingwithgifimageanditworkedlikeacharmandtheimagewasuploadedsuccessfullywithoutthrowinganyerrors,butwhenitriedtochecktheimageafteruploadingit.ifoundthatmyphpcodewastotallyremovedfromit itriedagaintoinjectthephpcodeintoothergifimagesandindifferentplacesintheimagebutthephpcodewasgettingremovedafteruploadingit.thatlookstotallyunexploitable,butimonlyonestepawayfromgettingRCE,soishouldfindawaytouploadmyimagewiththeinjectedphpcodeandbypasstheimagecreatefromgif()function.idontknowalotaboutimageprocessingandhowthephpGDworksbutitriedtodothatwithsimpleoldschoolway.icamewithanideatocomparethegifimagesbeforeandafteritgetconvertedusingphpgdandsearchforanysimilaritybetweenthem,soififindasimilarpartintheoriginalfilethatwaskeptalsoafterconvertingusingthephpgdthenicaninjectmyphpcodeinthatpartandgetRCEidecidedtotrythis,soicodedapythonscriptthatwillcomparetheimagesbeforeandafterconvertingandcheckforanysimilaritybetweenthem.thenisearchedinmycomputerforallthegifimagesandcopiedthemallinonefolder,afterwardsiwroteaphpscriptthatwilltakeallthegifimagesinthatfolderandregeneratethemusingthephpgdimagecreatefromgif()functionandsavethemintoanotherfoldertheniusedthepythonscripttocomparethefilesandcheckforanysimilar13byteswhichwillbethelengthofintheoriginalandtheconvertedgifimagefiles,andtheresultswasreallyawesome ,ivefoundgifimagewithabigsimilaritiesafteritwasconvertedusingphpgd.

thevalueswererepresentedinhex,soiopenedtheoriginalimagefileusingahexeditorandsearchedforaoneofthosematchedvalues3b45d00ceade0c1a3f0e18aff1andmodifieditto,savedthefileandconverteditwithphpgdthenthencheckedthestringsinthefile.

andguesswhat?thephpcodewasstillthere iuploadedthegifimagetobookfreshandthatwastheresult

phpcodeexecutedsuccessfullyandivegotRCE thetricksuccessfullydefeatedthePHPGDgetimagesize()andimagecreatefromgif()functionsthatareusedbymanywebdevelopersnowdaystovalidateimageuploads.ivereportedthevulnerabilitytosquaresecurityteamtheyreleasedafastfixforthevulnerabilitybutiwasabletobypassitagainsoigavethemmyrecommendationsforacompletefixandtheyapplieditandpaidmeaverynicebountyforthisbug

Bookfresh Tricky File Upload Bypass To RCE

Documents

Transcript of Bookfresh Tricky File Upload Bypass To RCE

Youth Network, RCE Bogota

RCE Greater Nairobi Welcomes you to the 2013 global RCE conference

Diablo Next RCE Polo RCE English - druservice.co.uk

RCE Guidelines

Human Resou rce Development

Youth at RCE Thiruvanathatpurman

2013 RCE Awards

RCE Capital

Phase 3 Tricky Words Activity Bookletd6vsczyu1rky0.cloudfront.net/36604_b/wp...3-tricky...Read the tricky words and colour the fish using these clues. . Under the Sea Tricky Word Colouring

METAL PUMPS RCE

This is ur. ur is a tricky monster. Tricky monsters aren’t naughty- just tricky like you!

RCE 2013 Print Report

Youth and our RCE, RCE Greater Western Sydney

Living Lab, RCE Borderlands Mexico-USA, Policy Support Session, 10th Global RCE Conference

RCE Singapore (Unabridged)

Tricky Grammar

Phase 5 Tricky Words Activity Booklet...Phase 5 Tricky Words Activity Booklet Name: Read the tricky words and colour the balloons using the clues below. Balloons Tricky Word Colouring

Youth Interventions, RCE Chennai

R U N W A Y - Visual Eyes Eyewearveeyewear.com/pdf/2012_11_21/Runway_Catalog.pdf · company history 44 rce-101 rce-102 rce-103 rce-105 rce-104 rce-106 1 runway couture eyewear 53-16-135

Tricky Photo