I did a ton of work on timthumb today. Download the latest version to get a whole lot of security and performance improvements and bugfixes. It’s available now.
Author: mark
-
What does the S&P's AAA to AA+ downgrade for the United States mean?
If you haven’t heard the news, S&P just downgraded us from AAA to AA+ and gave us a negative outlook to add insult to injury. But it’s not like we didn’t deserve it. In a democracy, people deserve the government they get. Remember that “We the people…” document? Well we the people just got a AA+.
It’s the first time the US has been downgraded since we received a triple-A rating from Moody’s in 1917 and a AAA from S&P in 1941.
Obama says “S&P’s analysis of the United States economy is deeply flawed.”. I think his chances of reelection just got deeply f***ed.
Keep an eye on treasury bond yields on Monday morning. There’s a tension between interest rates going up since they’re now technically more risky and the reflex flight to risk causing treasury buying that drives their rates down. It’ll be interesting to see whether fear or common sense prevail.
So what will happen going forward?
- Interest rates in this country are bound to rise long term because, what the government pays on debt is the base of all other interest rates in the country.
- Mortgage rates rising won’t help the housing market “recovery”. Less people will buy houses with the cost of borrowing becoming more expensive.
- With asset prices falling a few more banks will fail. Their debt to asset ratio will not meet the minimum requirements and the FDIC will show up on Friday afternoon and seize them.
- Expect to hear about the FDIC fund running short on cash and there to be a vocal debate about how to replenish it. Technically it’s an insurance policy that the banks fund and in normal times the government might just top it up. But what will probably happen as the fund gets depleted is that they will need to raise the rates they charge banks, which may make banking in this country more expensive for consumers and businesses.
- The latest budget debate made it very clear there will be no more trillion dollar bailouts. The good news is that at least this kills moral hazard (when bankers and execs are irresponsible because they know they’ll get bailed out.
- It gives us a reasonable facsimile of a free market. Even if you’re going to have to dodge the falling bodies on Wall St….
- The dollar will fall as foreign investors move to countries like the UK, Germany, France and Canada who all still have their AAA rating intact.
- Companies that rely on cheap foreign labor or resources will have to radically restructure their supply chains to survive and some might not be able to pull it off.
So where are the opportunities? Well I’ve said it before and I’ll say it again: “Gold prices will hit $1800 in September/October and $2200 or more by year end.“- Companies that export US goods or services will earn more as the dollar falls.
- Technology companies who are nimble, efficient and export services will do well.
- New innovators will replace incumbents who can’t readjust.
- We might get a new political party in the next half decade.
And for a laugh.. the Federal Reserve just announced that risk weightings for US government securities (how risky the government thinks it is) will remain unchanged:For risk-based capital purposes, the risk weights for Treasury securities and other securities issued or guaranteed by the U.S. government, government agencies, and government-sponsored entities will not change. The treatment of Treasury securities and other securities issued or guaranteed by the U.S. government, government agencies, and government-sponsored entities under other federal banking agency regulations, including, for example, the Federal Reserve Board’s Regulation W, will also be unaffected.And finally, lets hope that 500 point drop in the DOW this week was a leak that has now been fully priced into the market, or we’re in for an even bigger drop on Monday.
-
WordThumb is now TimThumb 2.0
On the suggestion of Matt Mullenweg (wordpress founder) Ben Gillbanks (timthumb author) and I have been working for the last day to merge my work on WordThumb into TimThumb 2.0.
That work is now complete and TimThumb 2.0 is now available for download from the TimThumb site.
I’m going to be working with Ben going forward to continue to have TimThumb be the easiest to use, fastest, most popular and most secure thumbnail script on the Web.
Here are a few enhancements in TimThumb 2.0:
- Includes the ability to take website screenshots if you have Xvfb and CutyCapt installed. (Instructions included how to do this)
- All filters and resizing can be applied to website screenshots.
- The cache directory is now secure and is still public for flexibility across platforms.
- TimThumb creates index files in your cache to prevent directory listings.
- Filenames are more randomized using data that a hacker doesn’t have access to, making it very hard to guess filenames in cache and access them.
- Cache files have a .txt extension which means the web server won’t execute them.
- All cached files have a fixed length record at the beginning which, if a web server tries to execute them, will be interpreted as PHP code and will cause an immediate exit.
- It includes file locking when files are created in cache to avoid conflicts.
- The entire code base has been rewritten and refactored for better code scaleability.
- Lots of other improvements.
So give it a whirl and if you have any suggestions or find any bugs, please file them on the TimThumb issues page. Thanks. -
WordThumb now uses a secure public cache for compatibility
UPDATE: WordThumb has now been merged into TimThumb and has become TimThumb 2.0. Please head over to the TimThumb site now for updates and to get the code.
The latest version of wordthumb (just uploaded) uses a public cache again (same place timthumb does) because many system temporary folders are not writeable.
This public cache is part of what caused the timthumb vulnerability, so I’ve made it more secure as follows:
- Using a .txt extension for all files so servers won’t execute the files when accessed.
- Using an md5 salt to prevent hackers knowing what filenames are to make things a little harder. On a badly configured server they could still get a directory index and access files that way.
- Added a <?php die(); ?> to the start of ever file cached. That way if a hacker manages to guess a filename and for some reason the server decides to execute a .txt file, as a last resort it will simply die.
-
WordThumb can now take screenshots of websites for you
UPDATE: WordThumb has now been merged into TimThumb and has become TimThumb 2.0. Please head over to the TimThumb site now for updates and to get the code.
Just for fun I added the ability to take screenshots of any website to WordThumb. You can even apply all the image manipulation and filters that it supports for regular images to a website screenshot.
The latest update also lets you block “hotlinking” where other websites display an image loaded from your server. That is mainly to prevent other sites using your WordThumb to generate thumbnails of websites.
Be warned, to use this you’re going to need root access to your own server. You’re also going to have to install a few basic tools, but I’ve included detailed installation instructions in the source where the configuration options are. I’ve also only tested this on Ubuntu Linux.
If you don’t have root on your machine or don’t want the feature, WordThumb is still fully backwards compatible with timthumb.php and the webshots feature is off by default. But if you like to experiment give it a whirl and let me know what you think.
The first screenshot takes a few seconds to load and then it’s cached for 24 hours (the default cache setting).
I have it running on this server, so here are a few screenshots of my favorite sites created and updated using WordThumb. You can click on one of these images and play with the URL and image width/height in the location bar to load different sites. My server is at about 80% load right now, so it will probably run faster on a less busy machine.
-
A secure rewrite of timthumb.php as WordThumb
Update 3 (Final): WordThumb has now been merged into TimThumb and has become TimThumb 2.0. Please head over to the TimThumb site now for updates and to get the code.
Update 2: WordThumb can now take screenshots of websites for you and turn them into thumbnails.
Update 1: Two minor bugs fixed and new minor version released. Thanks guys! You can post bugs directly on this page if you find any more.
I’ve done a full top to bottom rewrite of timthumb and forked the project as WordThumb. You can find it on Google Code with basic instructions on how to use it. Please report any bugs to me at mmaunder at gmail as soon as you can. The code is tested on Ubuntu Linux under Apache and works great.
The only code that is still original timthumb code is the image processing routines. Everything else has been rewritten from scratch. Here are the changes:
- Code is now object oriented PHP and is much more manageable and readable. It will still run just about anywhere.
- Fully backwards compatible with all timthumb’s options.
- Uses a non-web accessible directory as cache for security. By default it uses the system temporary directory. There is a config option to override this.
- All cached files have a .txt extension as an extra precaution.
- Cache cleaning has been rewritten to be faster and only run once a day (user configurable) with no contention between processes.
- ALLOW_EXTERNAL now works as expected. If disabled, you can’t load external files.
- mime type checking is improved. Previously files would be written to a web accessible cache before the mime check step. Now the furthest a non-image will get is a temporary file which fails a mime check and is deleted.
- Previously, the check_cache function created a directory with 777 permissions. That’s removed and we simply use the system temporary directory for everything cache related now.
- Writing images uses file locking now to avoid two processes writing to the same image file and corrupting it.
- We now use temporary files when fetching remote images rather than using the same filename we’re turning into a thumbnail. This avoids another process on a busy server thinking a file is a cached thumbnail and serving an unprocessed image accidentally.
- Fixed browser headers like accept-ranges.
- Improved error reporting.
- Added debug mode with tons of debug messages.
- Debug messages include benchmarking to see where slowdowns occur if any. (It’s very fast!)
- Cleaned up conflicting curl options like CURLOPT_FILE
- Added ability to disable browser caching for debugging
- Added clarity on curl timeout (many sites use php’s default fetching which doesn’t have a timeout)
-
Which al-Assad Would you Like?
President Bashar al-Assad of Syria has unleashed the rest of his tanks on Syrian protesters. Russia is warning that the country is veering towards all out civil war.
Besides being politically two faced, al-Assad has an unusually asymmetric face. So I thought I’d break out both faces and rejoin them into these:
-
Technical details and scripts of the WordPress Timthumb.php hack
UPDATE: WordThumb has now been merged into TimThumb and has become TimThumb 2.0. Please head over to the TimThumb site now for updates and to get the code.
As I mentioned yesterday my WordPress blog was hacked. The security hole has been picked up by hacker news and from there, The Register, ZDNet, PCWorld, and Geek.com among others. The publicity will hopefully get Theme developers to update timthumb.php or switch to a different thumbnail generator.
I’ve been contacted with requests for detailed info, so I’m going to post the technical details of how my site was hacked along with the scripts that the hacker used to get in. This is targeted at a technical audience.
The server that served you this web page is the one that was hacked. It runs Ubuntu 10.10 with all security updates installed. It is a virtual server hosted by Linode.
I also run the latest version of WordPress.org.
My WordPress root directory was writable, but making it read only would not have prevented the hack.
Timthumb.php in it’s default configuration allows site visitors to load images from a predefined set of remote websites for resizing and serving. Timthumb offers a caching mechanism so that it doesn’t have to continually re-process images. The cache directory lives under the wordpress root and is accessible by visitors to the website.
The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.
To be clear, timthumb.php does not actually execute any remote malicious code that causes this vulnerability. This was a point of confusion among some commenters in my blog post yesterday. It simply gets a remote file and places it in a web accessible directory.
Timthumb only allows remote content from a small range of websites to be loaded remotely. In it’s default configuration these included Blogger, WordPress.com and other sites that are writeable by the general public.
Timthumb’s verification that remote content was only being loaded by these domains was also broken. You could for example load content from hackersiteblogspot.com or from blogspot.com.hackersite.com.
I’ve submitted a patch that fixes the pattern matching and removed all default public hosting sites from the allowed sites list. The developer has opted to keep a small list in which I’m not in favor of.
In my case the hacker uploaded a script to my cache directory which timthumb.php stores as “external_<md5 hash>.php”. He/she then accessed this script directly in my timthumb cache directory as something like https://markmaunder.com/wp-content/themes/Memoir/scripts/cache/external_md5hash.php
The script uploaded was Alucar shell which is base64 encoded and decodes when it executes. That makes it a little harder to find it using grep or similar tool. You can see the encoded version of Alucar here and the decoded version of Alucar here (without the username and password preamble at the top).
Here’s a screenshot of the UI:
This script which gives a web based shell access was then used to inject base64 code to one of my core wordpress files wp-blog-header.php which lives in the wordpress root directory. The file with injected code looked like this.
The decoded version of this base64 code is this. The code executes whenever a blog page is visited. It fetches a file from a URL and writes it to /tmp. Then it executes the php code that is contained in this file. In my case it simply echo’d some javascript code that would show ads. Here is the code contained in the file in /tmp.
Again, this file is periodically updated with new PHP code, so the attacker could have his way with my server until I found out about it. The code could be altered to instead become a spam system and work it’s way through a long list of spam emails.
The way I tracked this to conclusion was:
- Heard audio on my blog telling me I’d won something.
- Checked Chrome network tools and saw ad content loading and I don’t serve ads.
- Grepped wordpress source and themes for hostname I saw in ad. Nothing.
- Dumped mysql databases on server (all of them) and grepped for hostname. Nothing.
- Confusion reigns.
- Started working my way through nginx (which is my front end proxy to apache) and apache access and error logs.
- Spotted lines in apache error log like this: “[Mon Aug 01 11:09:12 2011] [error] [client 127.0.0.1] PHP Warning: file_get_contents(http://blogger.com.zoha.vn/db/load.php): failed to open stream: HTTP request failed! in /usr/local/markmaunder/wp-content/themes/Memoir/timthumb.php on line 675”
- Checked timthumb’s cache directory and found Alucar.
- Realized base64 encoding is why I didn’t find anything with grep.
- Regrepped wordpress source and database and found injection in wp-blog-header.php
- Decoded base64 stuff and played with Alucar
- Found tmp file in /tmp
- Cleaned everything and fixed permissions. Ran chkrootkit and other utils on machine to see if anything else was compromised. Changed passwords, etc.
-
Zero Day Vulnerability in many WordPress Themes
Update: WordThumb has now been merged into TimThumb and has become TimThumb 2.0. Please head over to the TimThumb site now for updates and to get the code.Update 4: I’ve also added the ability to screenshot websites to WordThumb.
Update 3: I have forked timthumb.php into a new secure thumbnailer project called WordThumb. It’s a complete rewrite of timthumb and is fully backwards compatible. The only code that is recognizable is the image processing code. All file handling has been rewritten from scratch and I’ve fixed quite a few bugs. The project is now live on Google Code and version 1.0 of WordThumb is up for download. You can read more details about the changes in this blog entry about WordThumb.
Update 2: After evaluating timthumb.php I’ve decided the best solution to the security problem is to fork the project and do a line-by-line rewrite. I started work on this a day ago and it will be published on this blog later today. (This was posted on Wednesday at 11am Pacific Time). Please check my blog’s home page this evening (in about 8 hours) and it should be done.
Update: Ben, the developer of timthumb has been in contact and is working on a fix. His own site was hacked Friday using the same method. I’ve submitted a tiny patch and if you’re a solid PHP hacker it’d be great if you could eyeball the code with us and submit a patch (really easy to do on Google code) if you spot any other opportunities for cleanup (there are many). Given enough eyeballs… you know the quote.
The Exec summary: An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven’t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you’ve been compromised.
How to fix:
Update: As per several requests I’m posting hopefully easy to use instructions on how to fix this. This is for the latest version of timthumb.php version 1.33 available here. Check your version because there are many much older versions floating around.NOTE: timthumb.php is inherently insecure because it relies on being able to write files into a directory that is accessible by people visiting your website. That’s never a good idea. So if you want to be truly secure, just delete the file using “rm timthumb.php” and make sure it didn’t break anything in the theme you’re using. If you still want to use it but want to be a bit more secure, you can follow the instructions below.
This will disable timthumb.php’s ability to load images from external sites, but most bloggers only use timthumb.php for resizing local images:
- SSH into your web server. You can use “putty” if you use windows and you’ll need to know your username and password.
- cd into your wordpress installation directory. That is going to vary according to which host you’re using or how you’ve installed it.
- You need to find every copy of timthumb.php on your system. Use the following command without double quotes: ” find . -name ‘timthumb.php’ “
- It will show you a list of where timthumb.php is located. You may want to repeat this command using “thumb.php” as some users have reported that’s what it’s called on their systems.
- Edit timthumb.php using a text editor like pico, nano or (if you know what you’re doing) vim. You would type (without double quotes) ” nano directory/that/tim/thumb/is/in/timthumb.php ” for example.
- Go down to line 27 where it starts $allowedSites = array (
- Change it to remove all the sites listed like “blogger.com” and “flickr.com”. Once you’re done the line should look like this from $allowedSites to the semi-colon:
- $allowedSites = array();
- Note the empty parentheses.
- The next line should be blank and the following line will probably say “STOP MODIFYING HERE”
- That’s it. Save the file and you’re done.
Full post:
Earlier today this blog was hacked. I found out because I loaded a page on my blog and my blog spoke to me. It said “Congratulations, you’re a winner”.
After a brief WTF? I loaded up the dev tools in Chrome and checked what network requests were going out. Ad content was loading and I don’t run ads on my blog. For some reason the content was hidden, perhaps someone gets paid per impression.
I found the hostname the ads were loading from and grepped the WordPress code for the hostname and nothing turned up. Next I dumped the database – in fact all mysql databases on the server and grepped for the ad hostname and still nothing.
Eventually I found it. The hacker had done an eval(base64_decode(‘…long base64 encoded string’)) in one of WordPress PHP files. My bad for allowing that file to be writeable by the web server. Read on, because even if you set your file permissions correctly on the WordPress php files, you may still be vulnerable.
But what I really wanted to know was how the hell he wrote to a file on my machine.
I checked my nginx and apache access and error logs and eventually found a few PHP errors in the apache log that clued me in.
Turns out the theme I’m using, Memoir, which I bought for $30 from ElegantThemes.com uses a library called timthumb.php. timthumb.php uses a cache directory which lives under wp-content and it writes to that directory when it fetches an image and resizes it.
If you can figure out a way to get timthumb to fetch a php file and put it in that directory, you’re in.
The default configuration of timthumb.php which many themes use allow files to be remotely loaded and resized from the following domains:
$allowedSites = array ( 'flickr.com', 'picasa.com', 'blogger.com', 'wordpress.com', 'img.youtube.com', 'upload.wikimedia.org', 'photobucket.com', );
The problem is the way the developer checks which domain he’s fetching from. He uses the PHP strpos function and if the domain string appears anywhere in the hostname, he’ll allow that file to be fetched.
So if you create a file on a web server like so: http://blogger.com.somebadhackersite.com/badscript.php and tell timthumb.php to fetch it, it merrily fetches the file and puts it in the cache directory ready for execution.
[Note: I’m 99% sure this will work on most webserver configurations because the cache directory that timthumb uses is a subdirectory of directories that are allowed to execute files with a .php extension. So unless you explicitly tell your server to not execute .php files in the cache directory, it’ll execute them. ]
Then you just access the file in the cache directory on the target site using your web browser and whatever code came from http://blogger.com.somebadhackersite.com/badscript.php will get executed by the web server.
In my case, this is what the hacker saw when he accessed my site:
It’s called Alucar shell and it’s a php file that contains one massive base64 encoded string that gets decoded and evalled. It’s encoded in an attempt to hide itself.
When you first hit the script it presents you with a login page and once you’re signed in you see the screenshot above. It works quite well actually. Even if the rest of your filesystem is secure, whoever is using it can dump read-only files like /etc/passwd to get a list of user accounts, config files which may contain passwords, etc..etc..
The current version of timthumb has this issue. Since it’s already in the wild and I just got hacked by it, I figure it’s ok to release the vulnerability to the general public.
To check if you have been hacked do the following:
- Sign into your server using ssh
- cd to your wordpress installation directory
- run “grep -r base64_decode *”
- You should see a few occurences but if any of them have a long encoded string between the parentheses, then you’re probably hacked.
The hacker used base64_decode in the file uploaded to the timthumb.php cache directory as well as where he injected code in my blog.Also check your /tmp/ directory and if you have any suspicious files there like xwf.txt or any other .txt files, look at them in a text editor.How to (possibly) fix this:- Go into your theme directory and figure out where timthumb.php is.
- You might try “find /your/wordpress/dir/wp-content/themes/YourTheme/ -name “timthumb.php””
- Edit timthumb and remove the list of external websites that content is allowed to be loaded from.
- I have not audited the rest of the code, so this may or may not make it secure.
- The developer really needs to use a regular expression to check the external hostnames images can be loaded from.
I would also recommend that if you’re a theme developer using timthumb.php, you check to see how it’s configured and try to load a php file from blogger.com.yoursite.com to see if you’re vulnerable. -
In case you're having a rough Monday….
This will improve your day. Metric – Gold Guns Girls. Have an awesome week!!