Tim Thumb Zero Day Exploit

Damn you Tim Thumb!  angrily shakes fist at the screen 

If you weren’t warned already that the image processing script Tim Thumb was seriously damaging to the health of your website ( Tim Thumb is Evil ), another serious exploit has been found.

A new zero-day threat has been identified in the “Webshot” feature that the Tim Thumb script uses.

This feature is meant to be used to take a snapshot image of a website URL, however, a vulnerability has been found that allows attackers to add, delete or update any files on your server.

For example:

[pastacode lang=”markup” manual=”http%3A%2F%2Fmysite.com%2Fwp-content%2Fplugins%2Fmyplugin%2Ftimthumb.php%3Fwebshot%3D1%26src%3Dhttp%3A%2F%2Fmysite.com%2F%24(rm%24IFS%2Ftmp%2Fcode.php)” message=”” highlight=”” provider=”manual”/]

This command removes a file from the temp folder of the site.

[pastacode lang=”markup” manual=”http%3A%2F%2Fmysite.com%2Fwp-content%2Fplugins%2Fmyplugin%2Ftimthumb.php%3F%3Fwebshot%3D1%26src%3Dhttp%3A%2F%2Fmysite.com%2F%24(touch%24IFS%2Ftmp%2Fcode.php)” message=”” highlight=”” provider=”manual”/]

This command creates a new file in the temp folder of the site.

Pretty much any OS command can be run which is huge exploit and very worrying.

Is Your Script Safe?

If you have the most recent version of the Tim Thumb script, the Webshot feature should be disabled by default.

However, as the script is usually bundled within WordPress themes and plugins, you’ll need to check and make sure.

You’re looking for the following line in the script:

[pastacode lang=”php” manual=”define%20(%E2%80%98WEBSHOT_ENABLED%E2%80%99%2C%20false)%3B” message=”” highlight=”” provider=”manual”/]

If the defined variable above is set to true then your site could be open to attack so make sure you set it to false and save the script.

Where Is The Script?

Good question.  The default name of the script is thumb.php but we’ve also seen it called timthumb.php and tt.php.

The script is usually bundled in a WordPress (and other CMS’) theme or a plugin and may reside in a subfolder.

If you’ve got a VPS and access to SSH you can search for the script using the following command:

[pastacode lang=”bash” manual=”find%20%2F%20-name%20’*.php’%20-exec%20grep%20WEBSHOT_ENABLED%20%7B%7D%20%5C%3B” message=”” highlight=”” provider=”manual”/]

Limitations

The most recent v2.8.11+ versions of the script check to see if a couple of libraries exist on the server before the Webshot feature can be used.

These are CutyCapt and XVFP.

If these modules are not installed on the server, that limits your risk, however we would recommend still searching for and disabling the Webshot feature if you find any Tim Thumb scripts on your site.

Considering the amount of issues and exploits found with this script it should never be used and completely removed from the net.

Was this article helpful?
YesNo