Results 1 to 19 of 19
  1. #1

    Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)

    Look's like there's a new TimThumb vulnerability out:
    A new vulnerability has been announced in TimThumb, a library that many WordPress sites use to manipulate and display images. This vulnerability makes sites with a particular configuration of TimThumb vulnerable to arbitrary code execution attacks. These attacks are pretty serious, allowing the attacker to force your server to run any command they like. Usually, it’s not much work for an attacker to use an arbitrary code execution to gain complete control of the vulnerable server or network.

    If this feels familiar, it should. A very similar vulnerability was found in TimThumb in 2011. That one was much more serious, because pretty much all sites using TimThumb were vulnerable. This time not so many people will be affected, because you have to have the plugin in a specific, non-default configuration to be vulnerable.
    Source: http://www.dxw.com/2014/06/timthumb-...ad-once-again/

    Also check:
    http://seclists.org/fulldisclosure/2014/Jun/117
    https://code.google.com/p/timthumb/i...&ts=1403690188
    Fusioned - http://www.fusioned.net
    Enterprise & Semi-Dedicated Hosting | CloudLinux, cPanel, LiteSpeed, Acronis | PHP 5.6, 7.2, 7.3, 7.4 & 8.0
    Fully Managed SSD KVM VPS & Dedicated Servers | CloudFlare & Acronis Partner | RIPE LIR

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Beat me to it I opted to HSL first
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Yeah, was just about to email you and then the email from HSL arrived
    Fusioned - http://www.fusioned.net
    Enterprise & Semi-Dedicated Hosting | CloudLinux, cPanel, LiteSpeed, Acronis | PHP 5.6, 7.2, 7.3, 7.4 & 8.0
    Fully Managed SSD KVM VPS & Dedicated Servers | CloudFlare & Acronis Partner | RIPE LIR

  4. #4
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Steven, making all timthumb.php files on the server non-executable does protect from the exploit, until a fix is published?

    Code:
    for i in `locate timthumb.php`;do chmod -cv 000 $i;done
    Or something else should be done?

    Of course the themes using timthumb.php will not be able to generate thumbnails, but this is a minor issue compared to the server and web sites security which is above all.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  5. #5
    Join Date
    Jun 2002
    Location
    Long Beach, NY
    Posts
    211
    Thanks George for the post, and Steven for the HostingSecList email advisory.

    I've scanned my servers and confirmed WEBSHOT_ENABLED defined as FALSE in all timthumb.php and thumb.php using the following -

    Code:
    find . -type f \( -iname thumb.php -or -iname timthumb.php \) -exec grep -HP 'define ?\(.WEBSHOT_ENABLED' {} \;
    Is that sufficient to know that I have no vulnerable installations, or can a theme set WEBSHOT_ENABLED to TRUE outside of the timthumb.php code?

    Are there any other recommended measures to be taken?

    Thanks.

  6. #6
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Oh God not TimThumb again. I still occasionally come across sites that never got patched from the last time. Whee. Thx HSL

  7. #7
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Another idea, finding all timthumb.php files and disabling WEBSHOT wherever it is enabled:

    Code:
    for i in `locate timthumb.php`;do replace "\('WEBSHOT_ENABLED', true\);" "('WEBSHOT_ENABLED', false);" -- $i;done
    If you get a "locate command not found error" then run
    yum install mlocate
    updatedb

    and run the above command again.
    Last edited by NetworkPanda; 06-25-2014 at 11:34 AM.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  8. #8
    Join Date
    Jun 2002
    Location
    Long Beach, NY
    Posts
    211
    @NetworkPanda - I'm not yet sure of the correct action here, but whatever action you take, you also need to scan for thumb.php. I'm not sure what other names might be used - I've heard "webthumb.php" is also possible but have never found any instances of that one.

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by lbeachmike View Post
    @NetworkPanda - I'm not yet sure of the correct action here, but whatever action you take, you also need to scan for thumb.php. I'm not sure what other names might be used - I've heard "webthumb.php" is also possible but have never found any instances of that one.
    We scan for *thumb.php as there is multiple variations.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Quote Originally Posted by lbeachmike View Post
    @NetworkPanda - I'm not yet sure of the correct action here, but whatever action you take, you also need to scan for thumb.php. I'm not sure what other names might be used - I've heard "webthumb.php" is also possible but have never found any instances of that one.
    Correct, or better scan all php files in wp-content folders and replace ('WEBSHOT_ENABLED', true) with ('WEBSHOT_ENABLED', false) wherever it exists.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  11. #11
    Join Date
    Jun 2002
    Location
    Long Beach, NY
    Posts
    211
    Quote Originally Posted by NetworkPanda View Post
    Correct, or better scan all php files in wp-content folders and replace ('WEBSHOT_ENABLED', true) with ('WEBSHOT_ENABLED', false) wherever it exists.
    Do we know that the theme cannot override the WEBSHOT_ENABLED setting in the *thumb.php file?

  12. #12
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Quote Originally Posted by lbeachmike View Post
    Do we know that the theme cannot override the WEBSHOT_ENABLED setting in the *thumb.php file?
    No, PHP constants (configured with the define command) are not like variables which can be changed afterwards in other parts of the code. PHP constants are defined once and they can not be overriden elsewhere.

    But even if it could be possible, searching all PHP files for "define('WEBSHOT_ENABLED', true);" and replacing it with "define('WEBSHOT_ENABLED', false);" should fix this too.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  13. #13
    Join Date
    Jan 2010
    Location
    London
    Posts
    55
    This should work though it will take a while:

    Code:
    for i in `find /home -name \*\.php | egrep wp-content` ;do replace "\('WEBSHOT_ENABLED', true\);" "('WEBSHOT_ENABLED', false);" -- $i;done
    NetHosted Ltd - UK based hosting solutions.

  14. #14
    I'm not finding many installations (haven't found any yet) with this enabled, it seems. Could be a good sign... hopefully.
    * GeekStorage.com: Affordable, Performance Web Hosting
    * WHM/cPanel Shared Hosting, SSD Virtual Private Servers, and Dedicated Servers
    * CloudLinux, LiteSpeed, MariaDB, and SpamExperts
    * @GeekStorage

  15. #15
    Join Date
    Jun 2002
    Location
    Long Beach, NY
    Posts
    211
    Quote Originally Posted by MattE View Post
    I'm not finding many installations (haven't found any yet) with this enabled, it seems. Could be a good sign... hopefully.
    I did not have a single install with it enabled either.

  16. #16
    Join Date
    Jun 2014
    Location
    Rowley, MA
    Posts
    67
    Annnd I'll just go add Syria, Lebanon, and Iran to the firewall for a couple weeks...
    Neil Hanlon | Support Analyst
    888-X10-9668 - neil[at]x10hosting.com
    █ R1Soft licenses available - r1softlicenses.com
    Shared and VPS hosting - x10premium.com \ x10vps.com

  17. #17
    In the Iranians really are oppressed.

    America only wants to be dominated
    Iran is not scary.

  18. #18
    I think Webshot_enable is disabled by default.

    Only old themes use Timthumb
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  19. #19
    Join Date
    Apr 2003
    Location
    Los Angeles, CA
    Posts
    245
    Just FYI to all, I have seen other plugins use the filename 'img.php' for the Timthumb script.

    One in particular I recently came across using this filename is a popular paid plugin (developed by an Elite Author at ThemeForest) that is still using TimThumb 2.8
    I've sent a few emails to the author in hopes that they update asap
    Sam Jadali | Host Duplex
    sam.jadali [@] hostduplex.com
    Premium Shared, Reseller, & XenServer VPS Web Hosting
    Chicago, IL & Los Angeles, CA | http://www.hostduplex.com

Similar Threads

  1. Apache/PHP 5.x Remote Code Execution Exploit
    By k0nsl in forum Hosting Security and Technology
    Replies: 0
    Last Post: 10-29-2013, 09:15 PM
  2. WordPress Security: Update your timthumb
    By Gabe_GoDaddy in forum Hosting Security and Technology
    Replies: 9
    Last Post: 08-18-2012, 04:24 AM
  3. PHP-CGI advisory (CVE-2012-1823) - remote code execution bug
    By Steven in forum Hosting Security and Technology
    Replies: 2
    Last Post: 05-03-2012, 09:50 PM
  4. IMAP4rev1 Remote Code Execution
    By david510 in forum Dedicated Server
    Replies: 3
    Last Post: 01-02-2006, 06:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •