An in-depth analysis of imagemagick command execution vulnerability _python

00 Preface

What is ImageMagick?

ImageMagick is a powerful Open-source graphics processing software that can be used to read, write, and process more than 90 kinds of picture files, including popular JPEG, GIF, PNG, PDF, and PHOTOCD formats. It can be used to cut, rotate, mix and so on a variety of special effects processing.

Because of its powerful function, good performance, and extended support for many languages, it is widely used in program development. Many Web developers love to use ImageMagick to do image processing on the web, such as user avatar generation, image editing, and more.

01 Description of vulnerability

ImageMagick is an open source image processing library that supports multiple languages such as PHP, Ruby, Nodejs, and Python, and is widely used. Multiple image processing Plug-ins, including PHP Imagick, Ruby Rmagick and Paperclip, and Nodejs ImageMagick, are dependent on it to run. When an attacker constructs a picture with malicious code, the ImageMagick library handles the Httpps file improperly, without filtering, remotely implementing remote command execution and possibly controlling the server.

02 Degree of Influence

Attack Cost: Low

Degree of harm: high

Impact Range: ImageMagick 6.9.3-9 all previous versions

03 Vulnerability Analysis

The command execution vulnerability is in the process of ImageMagick file processing in HTTPS form.

ImageMagick supports so many file formats because it has a lot of image processing libraries built into it, and for these image processing libraries, ImageMagick gives it a name called "Delegate" (delegate), each Delegate corresponding to a file in a format, The system () command is then used to invoke external lib for processing. The process of calling an external lib is the code that is executed using the system command for the command to execute.

Default profile for ImageMagick delegates:/etc/imagemagick/delegates.xml

Specific code please refer to: Github-imagemagick

We're going to the HTTPS delegation line:

"<delegate decode=\" https\ "command=\" "wget"-q-o "%o" "Https:%m" \ "/>"

As you can see, the command defines the commands that are brought into the system () function for HTTPS file processing: "wget"-q-o "%o" "Https:%m".

wget is the command to download files from the network,%m is a placeholder, it has to be specifically defined in the configuration file as follows:

%i input image filename
%o output image filename
%u unique temporary filename
%Z unique temporary filename
   
    %# input Image Signature
%b image file size
%c input image comment
%g image geometry
%h image rows (heigh  T)
%k input image number colors
%l image label
%m input image Format
%p page number
%q input image Depth
%s Scene number
%w image columns (width)
%x input Image x resolution
%y input image y Resolutio N
   

You can see that%m is defined as the format of the image entered, which is the URL address we entered. But because just do a simple string concatenation, did not do any filtering, directly stitching into command commands, so we can close the quotation mark through "|", "'", "&" and so on into other commands, also formed a command injection.

For example, we pass in the following code:

Https://test.com "|ls"-al

The actual command executed by the system function is:

"Wget"-q-o "%o" "Https://test.com" |ls "-al"

This allows the Ls-al command to execute successfully.

04 Vulnerability Utilization

This loophole was given by the foreigner, as follows:

Push Graphic-context
viewbox 0 0 640
fill ' url (https://"|id; ") '
pop Graphic-context

Push and pop are used to stack operations, one into the stack, one out of the stack;

Viewbox is the size of the SVG visible area, or it can be imagined as a stage size and canvas size. Simple understanding is based on the following parameters to select a part of the picture;

The fill URL () fills the picture into the current element;

In which we use the fill URL () to invoke the vulnerability of HTTPS delegate, when ImageMagick to process the file, the vulnerability will be triggered.

Attached: ImageMagick supports a picture format, called MVG, and MVG is similar to the SVG format in that it writes the contents of the vector map as text, allowing other delegate in the ImageMagick to be loaded (for example, HTTPS delegate with vulnerabilities) )。 And in the process of graphics processing, ImageMagick will automatically be processed according to its content, that is, we can define the file as PNG, JPG and other sites to upload the allowed format, which greatly increases the vulnerability of the available scenarios.

Utilization process:

Create a Exploit.png file that contains the following:

Push Graphic-context
viewbox 0 0 640
fill ' url (https://test.com/image.jpg "|ls"-al) '
pop Graphic-context

Execute command: Convert exploit.png 1.png (followed by convert parameter)

05 Vulnerability Fixes

Upgrade to the latest version

Configure/etc/imagemagick/policy.xml to disable HTTPS, MVG these delegate, or remove the corresponding delegate directly from the configuration file

<policymap>
<policy domain= "coder" rights= "none" pattern= "ephemeral"/> <policy "domain="
Coder "rights=" None "pattern=" URL "/>
<policy domain=" coder "rights=" None "pattern=" HTTPS "/>
< Policy domain= "coder" rights= "None" pattern= "MVG"/> <policy domain=
"coder" rights= "None" pattern= "MSL"/ >
</policymap>

The above is a small set to introduce the ImageMagick command implementation of the vulnerability of knowledge, hope for everyone to help, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!