srakajoomla.blogg.se - Pather repeaters dsync exploit

PATHER REPEATERS DSYNC EXPLOIT CODE

# ANTz = Will write the compressed annotation chunk with the input file

# BGjp = Expects a JPEG image, but we can use /dev/null to use nothing as background image # INFO = Anything in the format 'N,N' where N is a number (OPTIONAL) Compress our payload file with to make it non human-readable Create a file named payload, add the following codeģ. As we verified that exiftool is vulnerable, and it is running to a folder we can write files, we can upload a crafted JPG file so exiftool executes against it Basic POCĢ.

it uses exiftool to read the file and store the EXIF data of each file in /opt/metadataħ.

inspect jpg files located in /var/www/html/subrion/uploads.

Taking a look at the script, it does the following I tried to read the file, and I had permissionsĦ.

Reading the contents of /etc/crontab I confirm this is a scheduled taskĥ. Using PSPY script, I noticed a script running quite often /opt/image-exif.sh, before that script I see cron being executed, so, I assume this is a scheduled taskĤ. To trigger the vulnerable function, we need to create a valid DjVu file that contains an annotation chunk with the payload that will be executed by the eval function as Perl code.ģ. The vulnerability happens when Exiftool tries to parse the DjVu filetype, more specifically the annotations field in the file structure.

PATHER REPEATERS DSYNC EXPLOIT CODE

By using a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code on the system.Įxiftool is a tool and library made in Perl that extracts metadata from almost any type of file. ExifTool 12.23 – Arbitrary Code Execution – (Privilege escalation) – CVE-2021-22204ĮxifTool could allow a local attacker to execute arbitrary code on the system, caused by improper neutralization of user data in the DjVu file format.