Imagemagick GIF coder vulnerability leads to memory disclosure (Hackerone)

Kunal pandey
Nov 2, 2018 · 4 min read

Hello Friends

This is my first write up about a bug which I discovered already around January, hope you guys like it. :)

Around January 2018, I discovered about a vulnerability which is known as Imagemagick GIF exploit by Emil Lerner (Neex) https://github.com/neex.

Let me explain it more briefly:-

Explanation

“Imagemagick gif exploit (CVE-2017–15277) is a type of vulnerability which affects the outdated version of ImageMagick 7.0.6–1 and Graphicsmagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.”

Putting it in more simple words, There was server memory leakage for this outdated version of Imagemagick 7.0.6–1 and Graphicsmagick (fault in library processing ) in which you can create exploitable image file, upload to any area around webpage and if you get uninitialized pixel palette in the reflected file, it’s vulnerable to leak some data ( Stack trace + String value).

Also, for those who are new in bug bounty, Imagemagick is an open software to displaying, converting, and editing raster image and vector image files. It’s used in many web application to crop, resize and changing colour, supporting over many image formats.

Let’s jump to Bug exploitation part:-

  • I Downloaded the Neex repository from https://github.com/neex/gifoeb.
  • Afterwards, Created many gif exploitable files using a command ./gifoeb gen 512x512 dump.gif, you can give extension like .gif, .jpg, .tiff , .bmp and many more.
Image for post
Image for post
Exploitable Files
  • Afterwards, I tried to upload one of the exploitable files in profile upload feature in Hackerone.
Image for post
Image for post

In response, I got different reflected pixels and I was like

Image for post
Image for post
  • Then, I started to upload exploitable files and tried to download all the reflected pixel files as much as possible in GIF format.
Image for post
Image for post
  • Afterwards , I just saved all the files inside previews folder .
Image for post
Image for post
  • Finally recovered all the files using these command

for p in previews/*; do ./gifoeb recover $p | strings; done

Image for post
Image for post
Image for post
Image for post

As you can see, uninitialized pixels recovered from downloaded GIF files were leaking some memory disclosure collected from server like path or server O/s info and many more.

Report

I submitted this vulnerability to Hackerone own Program (Security).

They consider these bug about Memory leakage and rewarded me with $500 , this was a huge motivation for me as well for first bounty. Thanks to Jobert, Reed, Joystick , Dirk and Wvdv.

Thanks to Emily Lerner(neex) for finding these vulnerability around Imagemagick and creating repo on Github.

Image for post
Image for post
Image for post
Image for post

Impact

If possible, These Imagemagick GIF exploitable files can leak some mails , cookies, SQL query, path directory and many more.

Hackerone was only having just O/s and Path leakage and other Stack Traces.

Solution

Now it’s been mitigated completely , updating Imagemagick software to latest version behind every Server, no more leakage.

Advice

  • In recent Imagemagick Software, it’s been mitigated, if you try to upload exploitable file, straightway you’ll get black screen image nothing else, so black screen image file will not leak anything.
  • Second, even if you get Reflected Pixel files, try to check whether it’s disclosing something or not, if you only get Stack Traces like these {{{*a/!a^a;bb(b|} Please don’t report it until and unless you get some string values related to server path leakage, info leakage and many more.
  • Third and final, create different image files with different resolution and extensions , focus on more grey pixel palette as it will contain more info rather than blue,green or red pixels. It differs from site to site and Imagemagick outdated version as well.

Timeline

6th Jan 2018 — Report submitted to Security Program (Hackerone)

7th Jan 2018 — Security Team assess the report and Triage the report

7th Jan 2018 — CVE-2017–15277 reference no. was assigned to this report as this vulnerability was founded by Emil Lerner (Neex).

20th Jan 2018 — $500 bounty awarded. My first bounty as well. Really made my day.

7th feb 2018 — Report has been resolved.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store