echoCTF.RED Target: CVE-2019-1010174 vs Player: 0xpwn1x

Target from: CVE Network

Intermediate, Rootable

CVE-2019-1010174 / 0.0.0.0

4: Flags (2:system, env, root)
2: Services
1,520 pts

A small an easy target that exploits the CImg CVE-2019-1010174 vulnerability.

#headshot

Level 14 / CTFer

0xpwn1x / 152nd Place

4: Flags found
2: Services discovered
1,520 pts
11 minutes

from pwn import *

This is a target with direct implementation of the CVE-2019-1010174 for the CImg Library v.2.3.3 and is here to assist in developing exploits for this vulnerability.

Description

CImg The CImg Library v.2.3.3 and earlier is affected by a command injection vulnerability. This attack can lead to RCE. The vulnerable code can be found in the load_network() function. Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url.

Environment details

The system is accessible at 10.0.160.248 and runs a web server and a vulnerable binary utilizing CImg.

Flags can be obtained by either accessing directly the service 375/tcp or through the web interface at http://10.0.160.248. Flags can be found at the usual places:

/root/ETSCTF
/etc/passwd gecos
/etc/shadow password hash
env variable

The source for the service listening on 375/tcp is the following

// https://github.com/github/security-lab/tree/master/SecurityExploits/CImg
#undef cimg_display
#define cimg_display 0
#include "CImg.h"
using namespace cimg_library;
#include 
#include 

// To compile and run:
//
// g++ -I./CImg poc.c -o poc
// ./poc
//
// Notice that the file ~/CImg-RCE has now been created.

int main(int argc, char **argv) {
  CImg<> img;
  std::cout << "Provide image url: " << std::endl;
  for (std::string line; std::getline(std::cin, line);) {
        std::cout << line << std::endl;
        img.assign(line.c_str());
  }
  return 0;
}

References

63 Headshots (newer first)

0nyx, 0xpwn1x, be444, XNOEX, Erasmus97, Crespo, NekoX7, guguvk, Ckabos, canary, TroyLynx, c0nfirm, hackercon101, Praise, Caritattriste, SantyNog7, doofyr, uApocryphon, cavca2012

michyamrane, redhair, falconsec, luismtzsilva, ks4v3r, Winsad, jaxafed, antonioban, noother, markuche, niggurath, vicky5, 0xRaef, Muzec, Grosik, M4sk0ff, JDgodd, ElleuchX1, abdullahzamir, wonderchild, yasir87, hacker, g0rchy, D1ie3z, srrequiem, ragdeyo, biba22, 0rgis, Pegasus, M96oL, qwerty12345

3 Writeups by:

r0b0tG4nG (en) Not rated!hackercon101 (en) 5 - Excellent c0nfirm (en) Not rated!

Activity Stream

Latest activity on the platform

0xpwn1x managed to headshot [CVE-2019-1010174], 2 months ago

0xpwn1x Discovered the ETSCTF username flag under an authentication database file of a server for 400 points, 2 months ago

0xpwn1x Discovered the ETSCTF flag on gecos details of a target for 200 points, 2 months ago

0xpwn1x Gained access to data stored in environmental variables of a server for 300 points, 2 months ago

0xpwn1x Got the ETSCTF flag under the /root folder of CVE-2019-1010174 for 600 points, 2 months ago

0xpwn1x Discovered the image fetching service of CVE-2019-1010174 for 10 points, 2 months ago

0xpwn1x Discovered the web service of CVE-2019-1010174 for 10 points, 2 months ago