module
ImageMagick Delegate Arbitrary Command Execution
| Disclosed | Created |
|---|---|
| May 3, 2016 | May 30, 2018 |
Disclosed
May 3, 2016
Created
May 30, 2018
Description
This module exploits a shell command injection in the way "delegates"
(commands for converting files) are processed in ImageMagick versions
Since ImageMagick uses file magic to detect file format, you can create
a .png (for example) which is actually a crafted SVG (for example) that
triggers the command injection.
The PostScript (PS) target leverages a Ghostscript -dSAFER bypass
(discovered by taviso) to achieve RCE in the Ghostscript delegate.
Ghostscript versions 9.18 and later are affected. This target is
provided as is and will not be updated to track additional vulns.
If USE_POPEN is set to true, a |-prefixed command will be used for the
exploit. No delegates are involved in this exploitation.
(commands for converting files) are processed in ImageMagick versions
Since ImageMagick uses file magic to detect file format, you can create
a .png (for example) which is actually a crafted SVG (for example) that
triggers the command injection.
The PostScript (PS) target leverages a Ghostscript -dSAFER bypass
(discovered by taviso) to achieve RCE in the Ghostscript delegate.
Ghostscript versions 9.18 and later are affected. This target is
provided as is and will not be updated to track additional vulns.
If USE_POPEN is set to true, a |-prefixed command will be used for the
exploit. No delegates are involved in this exploitation.
Authors
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.