Target from: CVE Network

Intermediate, Rootable

CVE-2019-1010174 / 0.0.0.0

4: Flags (2:system, env, root)
2: Services
1,520 pts

#headshot
headshoter rating: advanced

Level 8 / Master Securitas

abdullahzamir / 237th Place

4: Flags found
2: Services discovered
1,520 pts
228 minutes

This is a target with direct implementation of the CVE-2019-1010174 for the CImg Library v.2.3.3 and is here to assist in developing exploits for this vulnerability.

Description

CImg The CImg Library v.2.3.3 and earlier is affected by a command injection vulnerability. This attack can lead to RCE. The vulnerable code can be found in the load_network() function. Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url.

Environment details

The system is accessible at 10.0.160.248 and runs a web server and a vulnerable binary utilizing CImg.

Flags can be obtained by either accessing directly the service 375/tcp or through the web interface at http://10.0.160.248. Flags can be found at the usual places:

  • /root/ETSCTF
  • /etc/passwd gecos
  • /etc/shadow password hash
  • env variable
The source for the service listening on 375/tcp is the following
// https://github.com/github/security-lab/tree/master/SecurityExploits/CImg
#undef cimg_display
#define cimg_display 0
#include "CImg.h"
using namespace cimg_library;
#include 
#include 

// To compile and run:
//
// g++ -I./CImg poc.c -o poc
// ./poc
//
// Notice that the file ~/CImg-RCE has now been created.

int main(int argc, char **argv) {
  CImg<> img;
  std::cout << "Provide image url: " << std::endl;
  for (std::string line; std::getline(std::cin, line);) {
        std::cout << line << std::endl;
        img.assign(line.c_str());
  }
  return 0;
}
        

References

Activity Stream

Latest activity on the platform

abdullahzamir managed to headshot [CVE-2019-1010174], 36 months ago
abdullahzamir Gained access to data stored in environmental variables of a server for 300 points, 36 months ago
abdullahzamir Got the ETSCTF flag under the /root folder of CVE-2019-1010174 for 600 points, 36 months ago
abdullahzamir Discovered the ETSCTF username flag under an authentication database file of a server for 400 points, 36 months ago
abdullahzamir Discovered the image fetching service of CVE-2019-1010174 for 10 points, 36 months ago
abdullahzamir Discovered the ETSCTF flag on gecos details of a target for 200 points, 36 months ago
abdullahzamir Discovered the web service of CVE-2019-1010174 for 10 points, 36 months ago