Reported RCE in djvu thumbnailing
Closed, ResolvedPublic

Assigned To
None
Priority
Unbreak Now!
Author
csteipp
Blocks
Restricted Task
Subscribers
matmarex, Grunny, MarkTraceur and 8 others
Projects
Reference
bz60339
Description

PoC from checkpoint

This was sent to security@mediawiki.org a few days ago, and I just got it last night. This morning I got the encrypted PoC from them. Obviously this is very serious.

Shell meta characters can be passed in the page parameter to the thumb.php.

This fix is trivial, I've just tested and confirmed it fixes the issue on my local dev. I'll upload a patch to the cluster and deploy it.

Chris,
The OTRS system wouldn't let me forward this to security@wikimedia.org since that used to be an OTRS address.

Ryan // User:Rjd0060

  • Forwarded message from Shahar Tal <shahartal@checkpoint.com> ---

From: Shahar Tal <shahartal@checkpoint.com>
To: "security@mediawiki.org" <security@mediawiki.org>
Cc: Netanel Rubin <netanelr@checkpoint.com>, Inbar Raz <inbarr@checkpoint.com>
Subject: Remote code execution via incorrectly sanitized parameter
Date: 2014-01-19 12:23:54

Hi, my name is Shahar Tal, I lead a security research team with Check Point's
Malware & Security Research group.

I am writing this to inform you of a critical RCE vulnerability that was
identified in core MediaWiki by Netanel Rubin - a researcher in my team.

The vulnerability enables unrestricted command injection via an incorrectly
sanitized parameter.
We have verified this vulnerability exists with default installations as long as a
certain (not uncommon) setting is enabled, as is on wikimedia.org (see attached
screenshot for verification).

Note that it is our policy to follow responsible disclosure etiquette, and while
we do eventually intend to make the vulnerability details public - we strongly
prefer it would be done in full coordination and only after a fix has been made
available.

We would like to submit the details privately to the responsible parties, as well
as suggest a fix, please contact me for further coordination.

Regards,

Shahar TalAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Check Point Software Technologies | * +972-77-775-8352 | M +972-545-888887 | *
shahartal@checkpoint.com<mailto:shahartal@checkpoint.com>

  • End forwarded message ---

Version: unspecified
Severity: critical

attachment mediawiki-rce-19-01-2014.pdf ignored as private

bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz60339.
csteipp created this task.Via LegacyJan 22 2014, 2:26 PM
csteipp added a comment.Via ConduitJan 22 2014, 2:35 PM

Created attachment 14359
intval the page parameter

Deployed onto the cluster, due to severity:

14:34 logmsgbot: csteipp synchronized php-1.23wmf10/includes/media 'bug60339'
14:33 logmsgbot: csteipp synchronized php-1.23wmf11/includes/media 'bug60339'

attachment bug60339.patch ignored as obsolete

csteipp added a comment.Via ConduitJan 22 2014, 2:48 PM

Adding Shahar, the reporter.

Shahar, as I mentioned in email too, I'd like to confirm that we don't have similar issues elsewhere in our image handling, and then we'll release this as a security release in the next few business days.

bzimport added a comment.Via ConduitJan 22 2014, 3:02 PM

shahartal wrote:

FYI, This has been assigned CVE-2014-1610.

tstarling added a comment.Via ConduitJan 22 2014, 6:22 PM

Created attachment 14361
Escape shell arguments

Escape as well as validate, per usual coding style.

Attached: bug-60339-v3-djvu.patch

tstarling added a comment.Via ConduitJan 22 2014, 6:38 PM

Confirmed the vulnerability and tested the fix.

tstarling added a comment.Via ConduitJan 22 2014, 7:06 PM

I checked all wfShellExec()/wfShellExecWithStderr() calls in includes/media:

BitmapHandler::transformImageMagick() should probably escape variables derived from string literals, such as $quality, on the basis that they may come from user input in the future. array_map('wfEscapeShellArg', array_merge(...)) could be used for argument assembly instead of string concatenation.

BitmapHandler::transformCustom() lacks escaping of $params['physicalHeight'] and $params['physicalWidth'].

BitmapHandler::rotate() depends on the "%" operator converting a string to a number, which seems a bit dodgy.

tstarling added a comment.Via ConduitJan 22 2014, 7:27 PM

Created attachment 14364
Clean up related escaping issues

Something like this untested patch.

Attached: bug-60339-cleanup.patch

csteipp added a comment.Via ConduitJan 24 2014, 10:24 PM

content hidden as private in Bugzilla

csteipp added a comment.Via ConduitJan 27 2014, 9:09 PM

Created attachment 14383
PDF Handler - wmf10

PDF Handler was also vulnerable after the last set of patches. These have been deployed on the Cluster. In wmf11, there was a change to remove the 2>&1, so there are versions of this patch for both wmf10 and wmf11.

Attached: bug60339-pdfhandler-wmf10.patch

csteipp added a comment.Via ConduitJan 27 2014, 9:10 PM

Created attachment 14384
PDF Handler - wmf11

Attached: bug60339-pdfhandler-wmf11.patch

csteipp added a comment.Via ConduitJan 27 2014, 10:05 PM

I've done some testing on Tim's patches, and deployed them on the cluster. Adding Bawolff in case he sees anything odd in file uploads or thumbnailing.

csteipp added a comment.Via ConduitJan 28 2014, 12:14 AM

Created attachment 14389
Core REL1_22

Backport for 1_22

Attached: bug60339-combined-REL1_22.patch

csteipp added a comment.Via ConduitJan 28 2014, 2:34 AM

Adding early access partners.

We are planning to release these patches as part of 1.22.2 tomorrow (Tuesday Jan 28th).

csteipp added a comment.Via ConduitJan 28 2014, 3:13 AM

Created attachment 14392
Core REL1_21

Attached: bug60339-combined-REL1_21.patch

csteipp added a comment.Via ConduitJan 28 2014, 3:19 AM

Created attachment 14393
Core REL1_19

Attached: bug60339-combined-REL1_19.patch

gerritbot added a comment.Via ConduitJan 28 2014, 9:38 PM

Change 110069 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize shell command args

https://gerrit.wikimedia.org/r/110069

gerritbot added a comment.Via ConduitJan 28 2014, 9:39 PM

Change 110071 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize shell command args

https://gerrit.wikimedia.org/r/110071

gerritbot added a comment.Via ConduitJan 28 2014, 9:40 PM

Change 110074 had a related patch set uploaded by CSteipp:
Sanitize shell command args

https://gerrit.wikimedia.org/r/110074

gerritbot added a comment.Via ConduitJan 28 2014, 9:44 PM

Change 110080 had a related patch set uploaded by CSteipp:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110080

gerritbot added a comment.Via ConduitJan 28 2014, 9:45 PM

Change 110081 had a related patch set uploaded by CSteipp:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110081

gerritbot added a comment.Via ConduitJan 28 2014, 9:46 PM

Change 110082 had a related patch set uploaded by CSteipp:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110082

gerritbot added a comment.Via ConduitJan 28 2014, 9:53 PM

Change 110080 merged by jenkins-bot:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110080

gerritbot added a comment.Via ConduitJan 28 2014, 9:53 PM

Change 110081 merged by jenkins-bot:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110081

gerritbot added a comment.Via ConduitJan 28 2014, 9:54 PM

Change 110082 merged by jenkins-bot:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110082

csteipp added a comment.Via ConduitJan 28 2014, 9:56 PM

Clarification from the release announcement. Checkpoint did mention PdfHandler in their original PoC. Internal review found an additional vector not prevented by their proposed fix.

gerritbot added a comment.Via ConduitJan 28 2014, 10:02 PM

Change 110071 merged by jenkins-bot:
SECURITY: Sanitize shell command args

https://gerrit.wikimedia.org/r/110071

gerritbot added a comment.Via ConduitJan 28 2014, 10:02 PM

Change 110074 merged by jenkins-bot:
Sanitize shell command args

https://gerrit.wikimedia.org/r/110074

gerritbot added a comment.Via ConduitJan 28 2014, 10:14 PM

Change 110069 merged by jenkins-bot:
SECURITY: Sanitize shell command args

https://gerrit.wikimedia.org/r/110069

matmarex added a comment.Via ConduitJan 29 2014, 3:56 PM

(Attachment 14358 from comment 0 is still private, is that intended?)

csteipp added a comment.Via ConduitJan 29 2014, 6:03 PM

(In reply to comment #29)

(Attachment 14358 [details] from comment 0 is still private, is that
intended?)

It is. The attachment contains a working PoC for code execution on unpatched wikis, and I'd like to give our users some time to patch before making that part public. Additionally, Checkpoint dind't intend for that to be public, so it hasn't bean approved by their PR people and the researcher asked me to keep it private.

Once it seems like most wikis have patches, I'll at least make the exploit public, so we have a negative example that developers can see and prevent in the future.

gerritbot added a comment.Via ConduitJan 29 2014, 6:27 PM

Change 110215 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize shell command args

https://gerrit.wikimedia.org/r/110215

gerritbot added a comment.Via ConduitJan 29 2014, 6:31 PM

Change 110215 merged by jenkins-bot:
SECURITY: Sanitize shell command args

https://gerrit.wikimedia.org/r/110215

gerritbot added a comment.Via ConduitJan 30 2014, 7:23 PM

Change 110423 had a related patch set uploaded by CSteipp:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110423

gerritbot added a comment.Via ConduitJan 30 2014, 7:24 PM

Change 110423 merged by jenkins-bot:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110423

gerritbot added a comment.Via ConduitJan 30 2014, 7:25 PM

Change 110424 had a related patch set uploaded by Reedy:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110424

gerritbot added a comment.Via ConduitJan 30 2014, 7:25 PM

Change 110425 had a related patch set uploaded by Reedy:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110425

gerritbot added a comment.Via ConduitJan 30 2014, 7:32 PM

Change 110424 merged by jenkins-bot:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110424

gerritbot added a comment.Via ConduitJan 30 2014, 7:32 PM

Change 110425 merged by jenkins-bot:
SECURITY: Escape all shell arguments

https://gerrit.wikimedia.org/r/110425

Gilles added a project: Multimedia.Via WebNov 24 2014, 3:19 PM
Gilles moved this task to Closed on the Multimedia workboard.Via WebDec 2 2014, 8:55 AM
csteipp added a project: Security.Via WebThu, Mar 26, 8:39 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.