TimThumb Vulnerability in a Nutshell

The TimThumb image resizing utility has been found vulnerable by allowing the remote execution of arbitrary code. TimThumb is widely used by many WordPress themes, both commercial and free, and this vulnerability is expected to have a great impact, since the script name returns 84 million results on Google searches alone.

TimThumb was created by Ben Gillbanks, who, after discovering the vulnerability – and after Matt Mullenweg (WordPress founder) suggested it – joined forces with Mark Maunder (WordThumb author). They created TimThumb 2, a complete rewrite of the original code, having security in mind, whilst adding the extra features WordThumb already had. It is now highly advisable to upgrade to the newer version. Authors claim that, although a rewrite, it is fully backwards compatible.


The Vulnerability Exploitation

The TimThumb vulnerability allowed third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. This exploitation was made possible by the following security flaws in the implementation of the utility features:


External Domains Whitelisting

TimThumb is able to download and resize images from sources outside the hosted domain, such as Flickr, YouTube etc. Although there was a whitelist of domains implemented, the validation mechanism had a flaw: it was checking if the domain string was in the whitelist, but only partially. In this case, “wordpress.com.badguydomain.com” would be validated as a whitelisted external domain.

The newer version resolves this by altering the whitelisting mechanism to use regular expressions, thus enforcing the whitelisted domain to be on the end of the string.


File Type Check

TimThumb followed the “garbage in, garbage out” logic on the file validity matter. If a file was corrupted (maybe because it was not an image) after the conversion failure, no further actions would take place. That would allow an attacker to upload any file on the target server; usually one containing arbitrary PHP code.

Fixing the utility required two procedural steps to be implemented: (a) checking the MIME type of the file (actually being an image) and, in case it is faked, (b) checking the file extension being an image, and thus non-executable by the server. Furthermore, some additional measures have been taken: (a) file names are obfuscated using the server path as seed, and (b) all files are given a text (.txt) extension for being non-executable by the server by default.


Caching Store

The files that are (to be) processed by TimThumb are cached. The problem was that they were cached on a publicly available directory, usually on the same path the timthumb.php file existed. That would enable any attacker that uploaded an executable file have the server execute it, just by accessing it on their browser.

To prevent this on the newer versions of the utility, the caching store has been moved to the /tmp directory of the server, which, except for a few very bad configurations, it is not publicly available, and it does not allow execution.


Exploitation Detection

Unfortunately, both TimThumb authors found about the vulnerability the same way the one writing this article did: the hard way. Their websites, as well as mine, have been compromised by the exploitation of the vulnerability. Unless the attack resulted in a deface or a wipe-off, the following list may tip from the client side on a successful exploitation:

  • Loading of non requested ads
  • Random redirects to other sites
  • Google flagging the site as dangerous
  • Altering of content

Moreover, one may use Firebug, or any other network inspector, to index and assess the sources of a website’s assets. Of course, the use of online services that scan sites for this and other vulnerabilities or exploitation evidence may also be advised. WebsiteDefender is among the most trusted services; and it seems promising.

On the server side, indicators of a compromised site are:

  • PHP base64* functions encoding the exploitation payload
  • JavaScript String.fromCharCode function again for decoding the exploitation payload
  • Both PHP and JavaScript eval function to execute the payload, on server or client side respectively

The grep utility may prove itself handy on this situations: e.g. grep -R base64 * . Unfortunately, every occurrence has to be assessed for its validity by a human.

Now, for restoring a compromised website, the best approach is to restore a backup. Alternatively, all foreign code has to be tracked down manually and be removed, usually by using the Crossed-Fingers™ methodology. In such a case, it would would help to compare the entire installation to a fresh one using the diff tool, e.g. diff -R compromised_installation/ fresh_installation/ .


Upgrade Paths

The concept for the upgrade is quite simple: replace the timthumb.php with the newest version and delete its cache directory which is usually found in the same place as the executable. For those who fear making mistakes, WordPress plugins exist to facilitate the procedure, like Timthumb Vulnerability Scanner, which works by clicking its one button.

For a mass replacement, something like the following script will aid by executing it in the parent directory of all installations (probably with root access):
wget -O /tmp/timthumb.php http://timthumb.googlecode.com/svn/trunk/timthumb.php
find . -name timthumb.php -exec /bin/sh -c "echo patching {} && cat /tmp/timthumb.php > {}"
rm /tmp/timthumb.php

The script above will find all TimThumb instances under the current path and will replace them with the newest version. Please note, that instances of the script may exist under different file names, like thumb.php, but those or extended versions of it may be modified. Therefore, an upgrade path should be requested by the theme providers.


And my 2¢.

TimThumb’s vulnerability is just the tip of the iceberg; certain views imply that, in whole, security is currently modeled as an action/feedback continuum, and constant devotion of time is required to achieve satisfying levels of certainty. My belief is that, since the requirement of resources is so vast, in order to optimize the process, the distribution of the burden is the route to take.

One of the best methods that seems to work well is the use of free software business models; or the interpretation at the micro level could be users’ bug reporting. From a cost-based perspective, one could outsource almost everything except the core business. In the TimThumb example, because of its free software business model, not only has a feature complete rewrite (complete feature rewrite) been crafted in no time, but users have been contributing their reviews and propositions in bug reports. In addition, respected theme vendors like ElegantThemes and WooThemes, have timely updated their software and notified their client base about the issue. If TimThumb was not an open source script, the amount of time needed to discover and amend the issue would be much longer.

About the author

Nikolaos Anastopoulos

Nikos is an IT consultant providing professional services with broad experience on data analysis, data migration and web development. Being part of the Moneytized team, Nikos migrates his expertise on Information Technology with Internet marketing, resulting in high quality Internet implementations. More on his profile.

Leave a Comment