Penetration testing at its best.

Network penetration testing, web application security, firewall review, CHECK pen testing, server build review, social engineering..


GIMP Scriptfu Python Command Execution Vulnerability

Summary

There is an arbitrary command execution vulnerability in the scriptfu network server console in the GIMP 2.6 branch. It is possible to use a python scriptfu command to run arbitrary operating-system commands and potentially take full control of the host.

  • CVE number: CVE-2012-4245
  • Vendor homepage: http://www.gimp.org/
  • Vendor notified: 9/8/2012

About ReactionIS

Reaction Information Security is a leading independent pen test consultancy specialising in delivering the highest quality services including network pen testing and web application security testing. As a CESG CHECK Service Provider we are authorised to carry out penetration testing on classified government networks.

Affected Products

GIMP 2.6 branch (Windows or Linux builds)

Non-Affected Products

The Scriptfu network server component does not currently work in the GIMP 2.8 branch (Windows or Linux builds).

Details

There is an arbitrary command execution vulnerability in the scriptfu network server console in the GIMP 2.6 branch. It is possible to use a python scriptfu command to run arbitrary operating-system commands and potentially take full control of the host. The following command will write "foo" to "/tmp/owned":

(python-fu-eval 0 "file = open('/tmp/owned','w')nfile.write('foo')")

Impact

Successful exploitation of the vulnerability may result in remote command execution.

Solution

No solution has been implemented at this stage apart from the workaround below.

Workaround

Do not enable the scriptfu network server. The GIMP development team have stated that this component was not designed with security in mind and therefore should not be used in production environments.

Distribution

In addition to posting on the website, a text version of this notice has been posted to the following e-mail and Usenet news recipients.

  • bugtraq () securityfocus com
  • full-disclosure () lists grok org uk

Future updates of this advisory, if any, will be placed on the ReactionIS corporate website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the current page for any updates.

Reaction Pen Testing

Get a Quote Online

Submit your testing requirements online and one of the team will get right back to you.

Penetration Testing Services

Firewall reviews, database audits, code reviews, social engineering and more..

Application Security

Ensure your web and mobile apps are safe from attack.

Read more