echoCTF.RED Target: CVE-2019-1010174 vs Player: Caritattriste

Target from: CVE Network

Intermediate, Rootable

CVE-2019-1010174 / 0.0.0.0

4: Flags (2:system, env, root)
2: Services
1,520 pts

A small an easy target that exploits the CImg CVE-2019-1010174 vulnerability.

#headshot

Level 20 / Master Hax0r

Caritattriste / 15th Place

4: Flags found
2: Services discovered
765 pts
102 minutes

This is a target with direct implementation of the CVE-2019-1010174 for the CImg Library v.2.3.3 and is here to assist in developing exploits for this vulnerability.

Description

CImg The CImg Library v.2.3.3 and earlier is affected by a command injection vulnerability. This attack can lead to RCE. The vulnerable code can be found in the load_network() function. Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url.

Environment details

The system is accessible at 10.0.160.248 and runs a web server and a vulnerable binary utilizing CImg.

Flags can be obtained by either accessing directly the service 375/tcp or through the web interface at http://10.0.160.248. Flags can be found at the usual places:

/root/ETSCTF
/etc/passwd gecos
/etc/shadow password hash
env variable

The source for the service listening on 375/tcp is the following

// https://github.com/github/security-lab/tree/master/SecurityExploits/CImg
#undef cimg_display
#define cimg_display 0
#include "CImg.h"
using namespace cimg_library;
#include 
#include 

// To compile and run:
//
// g++ -I./CImg poc.c -o poc
// ./poc
//
// Notice that the file ~/CImg-RCE has now been created.

int main(int argc, char **argv) {
  CImg<> img;
  std::cout << "Provide image url: " << std::endl;
  for (std::string line; std::getline(std::cin, line);) {
        std::cout << line << std::endl;
        img.assign(line.c_str());
  }
  return 0;
}

References

63 Headshots (newer first)

heyonyx, 0xdragonh4ck0S, be444, XNOEX, Erasmus97, Crespo, NekoX7, guguvk, Ckabos, canary, TroyLynx, c0nfirm, hackercon101, Praise, Caritattriste, SantyNog7, doofyr, uApocryphon, cavca2012

michyamrane, redhair, falconsec, luismtzsilva, ks4v3r, Winsad, jaxafed, antonioban, noother, markuche, niggurath, vicky5, 0xRaef, Muzec, Grosik, M4sk0ff, JDgodd, ElleuchX1, abdullahzamir, wonderchild, yasir87, hacker, g0rchy, D1ie3z, srrequiem, ragdeyo, biba22, 0rgis, Pegasus, M96oL, qwerty12345

3 Writeups by:

r0b0tG4nG (en) Not rated!hackercon101 (en) 5 - Excellent c0nfirm (en) Not rated!

Activity Stream

Latest activity on the platform

Caritattriste managed to headshot [CVE-2019-1010174], 16 months ago

Caritattriste Discovered the ETSCTF username flag under an authentication database file of a server for 200 points, 16 months ago

Caritattriste Gained access to data stored in environmental variables of a server for 150 points, 16 months ago

Caritattriste Got the ETSCTF flag under the /root folder of CVE-2019-1010174 for 300 points, 16 months ago

Caritattriste Discovered the image fetching service of CVE-2019-1010174 for 5 points, 16 months ago

Caritattriste Discovered the ETSCTF flag on gecos details of a target for 100 points, 16 months ago

Caritattriste Discovered the web service of CVE-2019-1010174 for 10 points, 16 months ago