Exploit inspired by notorious ‘ImageTragick’ bug from 2016

UPDATED A security researcher discovered fresh flaws in open source image converter ImageMagick during the process of exploring an earlier vulnerability dating back four years.

Alex Inführ (@insertScript) discovered his own shell injection vulnerability related to the parsing of PDF files by ImageMagick while investigating ‘ImageTragick’, a set of vulnerabilities discovered in 2016.

Before it was resolved, ImageTragick set up a mechanism to execute shell commands via a maliciously crafted image. The historical flaw also created a means to read local files.

The vendor of the widely used image conversion utility developed fixes for the problem just days after it was reported to it by Inführ on November 16.

This allowed the researcher to safely document his findings in a technical blog post, published on Saturday (November 21).

To protect against the vulnerability, users should upgrade to recently released patched versions (7.0.10-40 or 6.9.11-40) of ImageMagick.

Practical Magick

The open source ImageMagick software supports many different file formats, including PDFs.

Inführ found that using the -authenticate command line parameter, an attacker could inject shell commands because the software fails to correctly escape it.

A user has little control over this function, so the bug would be hard to exploit by itself.

In order to overcome this obstacle to exploitation, Inführ chained the insecure behavior with an MSL file in order to manipulate the insecure parameter.

RELATED Polymorphic payloads: New image processing test suite snags Google Scholar

MSL is an ImageMagick scripting language file. Inführ created a polyglot SVG and MSL file containing exploit commands.

Any user who uploads the polyglot SVG/MSL file, likely presented as a simple SVG file, and tries to convert it to another file format using a vulnerable version and configuration of ImageMagick will have their system compromised.

However, even then exploitation is contingent on use of a vulnerable PDF parsing library.

Barriers to entry

ImageMagick told The Daily Swig that the bug was accurately described in the blog post, adding that exploitation was in any case only possible in setup that relied on an external GhostScript command.

The vendor went on to offer a series of recommendations that ought to guard against exploitation:

The blog describes the vulnerability properly and its mitigation. Many installations of ImageMagick prevent the rendering of PDF per our recommendation with this policy.

<policy domain="coder" rights="write" pattern="{HTTP,HTTPS,MVG,PS,EPS,PDF,SVG,XPS}" />

In addition, the vulnerability can only occur if ImageMagick uses the external Ghostscript command rather than the built-in Ghostscipt delegate library and the authenticate key/value is utilized without proper sanitization for the PDF format.

We suspect this combination of conditions are likely rare. There are no known exploits of this vulnerability in the wild.

ImageMagick’s best practice guidelines encourage users to configure a security policy.xml that suits their local environment, the vendor added.

In response to a request from The Daily Swig to summarise his work, Inführ explained: "In case the server is using ImageMagick 7 to handle user controlled files and a user is able to set the "authenticate" parameter either via the command line (-authenticate) or via MSL, it is possible to inject and execute shell commands on the server.

"MSL can be triggered via other file formats supported by ImageMagick as shown in my PoC (I am using SVG is handled by ImageMagick itself and not a third party library)," he added.

This story was updated to add comments from researcher Alex Inführ

READ MORE Sploitus exploit search engine comes under DMCA fire, search engine page removal