In-depth analysis of ImageMagick command execution vulnerability

ImageMagick is a powerful open-source graphic processing software that can be used to read, write, and process over 90 image files, including popular JPEG, GIF, PNG, PDF, and PhotoCD formats. Next, let's take a look at the ImageMagick command execution vulnerability through this article. 00 preface

What is ImageMagick?

ImageMagick is a powerful open-source graphic processing software that can be used to read, write, and process over 90 image files, including popular JPEG, GIF, PNG, PDF, and PhotoCD formats. It can be used to cut, rotate, and combine images with various special effects.

It is widely used in program development because of its powerful functions, good performance, and expanded support for many languages. Many website developers love to use ImageMagick extensions to process images on the web, such as generating user portraits and editing images.

01 vulnerability description

ImageMagick is an open-source image processing library that supports PHP, Ruby, NodeJS, Python, and other languages and is widely used. Multiple image processing extensions, including PHP imagick, Ruby rmagick, paperclip, and NodeJS imagemagick, depend on them to run. When attackers construct images containing malicious code, the ImageMagick library does not properly process HTTPPS files and does not perform any filtering. Therefore, attackers can remotely execute commands to control the server.

02 extent of impact

Attack Cost: low

Hazard level: High

Impact scope: all versions earlier than ImageMagick 6.9.3-9

03 vulnerability analysis

The command execution vulnerability occurs when ImageMagick processes https files.

ImageMagick supports so many file formats because it has many built-in image processing libraries. for these image processing libraries, imageMagick gave it a name called "Delegate" (Delegate). each Delegate corresponds to a file in a format, and then calls the external lib for processing through the system () command. The external lib is called by running the system command, which leads to the code executed by the command.

Default configuration file entrusted by ImageMagick:/etc/ImageMagick/delegates. xml

For specific code, refer to: Github-ImageMagick

Locate the line entrusted by https:

" 
 "

As you can see, the command defines the command for bringing the system () function to https file processing: "wget"-q-O "% o" "https: % M ".

Wget is a command for downloading files from the network, and % M is a placeholder. it must be defined in the configuration file as follows:

%i input image filename%o output image filename%u unique temporary filename%Z unique temporary filename%# input image signature%b image file size%c input image comment%g image geometry%h image rows (height)%k input image number colors%l image label%m input image format%p page number%q input image depth%s scene number%w image columns (width)%x input image x resolution%y input image y resolution

We can see that % m is defined as the input image format, that is, the url address we entered. However, because we only concatenate a simple string without filtering it, we can directly splice it into the command. Therefore, we can close the quotation marks and use "| ","'", "&" and other commands form command injection.

For example, we pass in the following code:

https://test.com"|ls “-al

The actual execution command of the system function is:

“wget” -q -O “%o” “ https://test.com"|ls “-al”

In this way, the ls-al command is successfully executed.

04 vulnerability exploitation

The poc vulnerability is provided by foreigners as follows:

push graphic-contextviewbox 0 0 640 480fill 'url(https://"|id; ")'pop graphic-context

Push and pop are used for stack operations, one into stack and one out stack;

Viewbox indicates the size of the visible area of SVG, or can be imagined as the stage size and canvas size. A simple understanding is to select some of the images based on the following parameters;

Fill url () is to fill the image into the current element;

In this example, we use fill url () to call the vulnerable https delegate. when ImageMagick processes the file, the vulnerability is triggered.

Attachment: ImageMagick supports an image format by default, called mvg. mvg is similar to svg format, where the content of a vector image is written in text format, other delegate in ImageMagick can be loaded, for example, https delegate with a vulnerability ). In addition, ImageMagick automatically processes images based on their content. that is to say, we can define files as png, jpg, and other formats allowed for uploads, this greatly increases the availability of vulnerabilities.

Exploitation process:

Create an exploit.png file that contains the following content:

push graphic-contextviewbox 0 0 640 480fill 'url(https://test.com/image.jpg"|ls "-al)'pop graphic-context

Run the command: convert exploit.png 1.png( The following is the convert parameter)

05 vulnerability repair

Upgrade to the latest version.

Configure/etc/ImageMagick/policy. xml to disable https and mvg delegate, or directly delete the corresponding delegate in the configuration file.

The above section describes the ImageMagick command execution vulnerability. I hope it will help you. if you have any questions, please leave a message and I will reply to you in a timely manner. I would like to thank you for your support for the script home website!