Target from: CVE Network
Intermediate, Rootable
CVE-2019-1010174 / 0.0.0.0
4: Flags (2:system, env, root)
2: Services
1,520 pts
Level 6 / Securitas
novena / 392nd Place
0: Flags found
1: Service discovered
10 pts
This is a target with direct implementation of the CVE-2019-1010174 for the CImg Library v.2.3.3 and is here to assist in developing exploits for this vulnerability.
Description
CImg The CImg Library v.2.3.3 and earlier is affected by a command injection vulnerability. This attack can lead to RCE. The vulnerable code can be found in the load_network() function. Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url.
Environment details
The system is accessible at 10.0.160.248 and runs a web server and a vulnerable binary utilizing CImg.
Flags can be obtained by either accessing directly the service 375/tcp or through the web interface at http://10.0.160.248. Flags can be found at the usual places:
/root/ETSCTF/etc/passwdgecos/etc/shadowpassword hashenvvariable
375/tcp is the following
// https://github.com/github/security-lab/tree/master/SecurityExploits/CImg #undef cimg_display #define cimg_display 0 #include "CImg.h" using namespace cimg_library; #include#include // To compile and run: // // g++ -I./CImg poc.c -o poc // ./poc // // Notice that the file ~/CImg-RCE has now been created. int main(int argc, char **argv) { CImg<> img; std::cout << "Provide image url: " << std::endl; for (std::string line; std::getline(std::cin, line);) { std::cout << line << std::endl; img.assign(line.c_str()); } return 0; }
References
52 Headshots (newer first)
Activity Stream
Latest activity on the platform