Target from: CVE Network

Intermediate, Rootable

CVE-2019-1010174 / 0.0.0.0

4: Flags (2:system, env, root)
2: Services
1,520 pts

33%

Level 7 / Senior Securitas

gregGraffin / 265th Place

0: Flags found
2: Services discovered
20 pts

This is a target with direct implementation of the CVE-2019-1010174 for the CImg Library v.2.3.3 and is here to assist in developing exploits for this vulnerability.

Description

CImg The CImg Library v.2.3.3 and earlier is affected by a command injection vulnerability. This attack can lead to RCE. The vulnerable code can be found in the load_network() function. Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url.

Environment details

The system is accessible at 10.0.160.248 and runs a web server and a vulnerable binary utilizing CImg.

Flags can be obtained by either accessing directly the service 375/tcp or through the web interface at http://10.0.160.248. Flags can be found at the usual places:

  • /root/ETSCTF
  • /etc/passwd gecos
  • /etc/shadow password hash
  • env variable
The source for the service listening on 375/tcp is the following
// https://github.com/github/security-lab/tree/master/SecurityExploits/CImg
#undef cimg_display
#define cimg_display 0
#include "CImg.h"
using namespace cimg_library;
#include 
#include 

// To compile and run:
//
// g++ -I./CImg poc.c -o poc
// ./poc
//
// Notice that the file ~/CImg-RCE has now been created.

int main(int argc, char **argv) {
  CImg<> img;
  std::cout << "Provide image url: " << std::endl;
  for (std::string line; std::getline(std::cin, line);) {
        std::cout << line << std::endl;
        img.assign(line.c_str());
  }
  return 0;
}
        

References

Activity Stream

Latest activity on the platform

gregGraffin Discovered the image fetching service of CVE-2019-1010174 for 10 points, 47 months ago
gregGraffin Discovered the web service of CVE-2019-1010174 for 10 points, 47 months ago