Target from: CVE Network
4: Flags (2:system, env, root
)
2: Services
1,520 pts
0: Flags found
1: Service discovered
10 pts
This is a target with direct implementation of the CVE-2019-1010174 for the CImg Library v.2.3.3 and is here to assist in developing exploits for this vulnerability.
Description
CImg The CImg Library v.2.3.3 and earlier is affected by a command injection vulnerability. This attack can lead to RCE. The vulnerable code can be found in the load_network()
function. Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url.
Environment details
The system is accessible at 10.0.160.248
and runs a web server and a vulnerable binary utilizing CImg.
Flags can be obtained by either accessing directly the service 375/tcp
or through the web interface at http://10.0.160.248. Flags can be found at the usual places:
/root/ETSCTF
/etc/passwd
gecos/etc/shadow
password hashenv
variable
375/tcp
is the following
// https://github.com/github/security-lab/tree/master/SecurityExploits/CImg #undef cimg_display #define cimg_display 0 #include "CImg.h" using namespace cimg_library; #include#include // To compile and run: // // g++ -I./CImg poc.c -o poc // ./poc // // Notice that the file ~/CImg-RCE has now been created. int main(int argc, char **argv) { CImg<> img; std::cout << "Provide image url: " << std::endl; for (std::string line; std::getline(std::cin, line);) { std::cout << line << std::endl; img.assign(line.c_str()); } return 0; }
References
50 Headshots (newer first)
Praise, Caritattriste, SantyNog7, doofyr, uApocryphon, cavca2012, michyamrane, redhair, falconsec, luismtzsilva, ks4v3r, Winsad, jaxafed, antonioban, noother, markuche, niggurath, vicky5, 0xRaef
Muzec, Grosik, M4sk0ff, JDgodd, ElleuchX1, abdullahzamir, wonderchild, yasir87, hacker, g0rchy, D1ie3z, srrequiem, ragdeyo, biba22, 0rgis, Pegasus, M96oL, qwerty12345, sn1per, Wh04m1, r0b0tG4nG, TheCyberGeek, galoget, jinake, lMinzarl, PufferOverflow, mpz, AKMalware, abosaif, hitmanalharbi, 0xTHMS
1 Writeup by:
Activity Stream
Latest activity on the platform