echoCTF.RED Target: CVE-2019-1010174 vs Player: biba22

Target from: CVE Network

Intermediate, Rootable

CVE-2019-1010174 / 0.0.0.0

4: Flags (2:system, env, root)
2: Services
1,520 pts

A small an easy target that exploits the CImg CVE-2019-1010174 vulnerability.

#headshot

headshoter rating: basic

Level 20 / Master Hax0r

biba22 / 1st Place

4: Flags found
2: Services discovered
1,520 pts
152 minutes

No bio...

This is a target with direct implementation of the CVE-2019-1010174 for the CImg Library v.2.3.3 and is here to assist in developing exploits for this vulnerability.

Description

CImg The CImg Library v.2.3.3 and earlier is affected by a command injection vulnerability. This attack can lead to RCE. The vulnerable code can be found in the load_network() function. Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url.

Environment details

The system is accessible at 10.0.160.248 and runs a web server and a vulnerable binary utilizing CImg.

Flags can be obtained by either accessing directly the service 375/tcp or through the web interface at http://10.0.160.248. Flags can be found at the usual places:

/root/ETSCTF
/etc/passwd gecos
/etc/shadow password hash
env variable

The source for the service listening on 375/tcp is the following

// https://github.com/github/security-lab/tree/master/SecurityExploits/CImg
#undef cimg_display
#define cimg_display 0
#include "CImg.h"
using namespace cimg_library;
#include 
#include 

// To compile and run:
//
// g++ -I./CImg poc.c -o poc
// ./poc
//
// Notice that the file ~/CImg-RCE has now been created.

int main(int argc, char **argv) {
  CImg<> img;
  std::cout << "Provide image url: " << std::endl;
  for (std::string line; std::getline(std::cin, line);) {
        std::cout << line << std::endl;
        img.assign(line.c_str());
  }
  return 0;
}

References

48 Headshots (newer first)

SantyNog7, doofyr, uApocryphon, cavca2012, michyamrane, redhair, falconsec, luismtzsilva, ks4v3r, Winsad, jaxafed, antonioban, noother, markuche, niggurath, vicky5, 0xRaef, Muzec, Grosik

M4sk0ff, JDgodd, ElleuchX1, abdullahzamir, wonderchild, yasir87, hacker, g0rchy, D1ie3z, srrequiem, ragdeyo, biba22, 0rgis, Pegasus, M96oL, qwerty12345, sn1per, Wh04m1, r0b0tG4nG, TheCyberGeek, galoget, jinake, lMinzarl, PufferOverflow, mpz, AKMalware, abosaif, hitmanalharbi, 0xTHMS

1 Writeup by:

r0b0tG4nG (en) Not rated!

Activity Stream

Latest activity on the platform

biba22 managed to headshot [CVE-2019-1010174], 41 months ago

biba22 Got the ETSCTF flag under the /root folder of CVE-2019-1010174 for 600 points, 41 months ago

biba22 Gained access to data stored in environmental variables of a server for 300 points, 41 months ago

biba22 Discovered the ETSCTF username flag under an authentication database file of a server for 400 points, 41 months ago

biba22 Discovered the ETSCTF flag on gecos details of a target for 200 points, 41 months ago

biba22 Discovered the image fetching service of CVE-2019-1010174 for 10 points, 41 months ago

biba22 Discovered the web service of CVE-2019-1010174 for 10 points, 41 months ago