Rhino Security Labs

Merlin’s Shell: Exploiting Image Processing in ImageMagick

Introduction: The ImageMagick Exploit

This week a critical exploit was revealed in the ImageMagick library allowing command execution through maliciously crafted image files. ImageMagick is a software suite that gives you the power to edit and transform images from several different formats, like PNG and JPEG, all from the command line. This software has proved to be of great use to developers everywhere, from applying color filters to resizing and cropping profile pictures. This affects thousands of applications that rely on ImageMagick for their core image processing, even those that do not necessarily ship with it in their core packages. The success of this software has led to widespread use of ImageMagick plugins across several languages, leaving sites built from Django to WordPress exposed.

The code in question specifically delegates a set of system commands based on the type of file detected. While the full set of system commands can be found here, the vulnerability lies in the lack of proper filtering when completing the format string that fetches an image from a remote URL. While input that escapes from its expected context is a persistent problem, such as cross-site scripting, impact is much higher when the context is a system command – essentially providing remote code execution. This blog is a technical analysis of the ImageMagick exploit, as well as mitigation techniques for your own environment.

The Exploit

To see first-hand how the exploit works, simply set up a basic environment and download and install the ImageMagick binaries. At the time of writing this article, the most current version, Ubuntu 14.04 LTS, has still not been patched. This is the version used to demo the exploit, and is also offered by Amazon’s AWS services for free. In order to exploit, simply create an MVG file with the following contents:

The ImageMagick exploit at work by using a malicious user controlled command

Above shows the maliciously crafted MVG image with the fill URL using double quotes to jump out of the command context and execute our malicious payload. As you can see, it connects back to the machine on 443 and a shell is created.

Note that the file uses double quotes to escape the command context in order to execute arbitrary commands, much in the same way cross-site scripting (XSS) uses double quotes to escape a defined HTML context. Now run “convert exploit.mvg out.jpg” and the command is executed. Also, take note that the convert command is agnostic of the extension the file contains and rather reads the contents before deciphering how to process the image. This means that if a web application were to accept only JPGs, we could simply rename our exploit to have the JPG extension, upload and gain a shell.

The Impact

ImageMagick is used across the web for many different applications, from resizing images to make profile pictures or converting images to a standard format. In the age of reusable code and automation, oftentimes we do not investigate the modules we attach to our applications.

An example of this is the wide spread use of plug-ins for content management systems (CMS), such as WordPress and Drupal. Plug-ins are frequently used to extend your site’s functionality with a click of a button. By completing a quick Google search for CMS plugins that use ImageMagick’s binaries, the results show tens of thousands of CMS applications and users at risk. From the prevalence of this binary across the web, which includes technologies that have been derived from it, it’s clear that this vulnerability will be exploited countlessly again and again.

Conclusion: The Mitigation

At the time of writing this article there have been no patches; however, all is not lost. To prevent command execution of malicious image files two things can be done.

The first strategy is to verify that each image file processed by the server begins with the “magic bytes” that corresponds to the image file type you support on your application. This will mitigate a malicious MVG masquerading as a JPG to make it to the command line.

The second method is to update the policy.xml file that ImageMagick references. To do this, just drop the xml snippet (below) into your policy.xml file and it will disable the following files types: EPHEMERAL, URL, MVG and MSL.

<policymap>

<policy domain="coder" rights="none" pattern="EPHEMERAL" />

<policy domain="coder" rights="none" pattern="URL" />

<policy domain="coder" rights="none" pattern="HTTPS" />

<policy domain="coder" rights="none" pattern="MVG" />

<policy domain="coder" rights="none" pattern="MSL" />

</policymap>

You can find more information about mitigations and other attack vectors in the full Outerwall Disclosure Forum here, or to learn more about the ImageMagick exploit – check it out here.