module
ImageMagick Delegate Arbitrary Command Execution
| Disclosed | Created |
|---|---|
| 2016-05-03 | 2018-05-30 |
Disclosed
2016-05-03
Created
2018-05-30
Description
This module exploits a shell command injection in the way "delegates"
(commands for converting files) are processed in ImageMagick versions
Since ImageMagick uses file magic to detect file format, you can create
a .png (for example) which is actually a crafted SVG (for example) that
triggers the command injection.
The PostScript (PS) target leverages a Ghostscript -dSAFER bypass
(discovered by taviso) to achieve RCE in the Ghostscript delegate.
Ghostscript versions 9.18 and later are affected. This target is
provided as is and will not be updated to track additional vulns.
If USE_POPEN is set to true, a |-prefixed command will be used for the
exploit. No delegates are involved in this exploitation.
(commands for converting files) are processed in ImageMagick versions
Since ImageMagick uses file magic to detect file format, you can create
a .png (for example) which is actually a crafted SVG (for example) that
triggers the command injection.
The PostScript (PS) target leverages a Ghostscript -dSAFER bypass
(discovered by taviso) to achieve RCE in the Ghostscript delegate.
Ghostscript versions 9.18 and later are affected. This target is
provided as is and will not be updated to track additional vulns.
If USE_POPEN is set to true, a |-prefixed command will be used for the
exploit. No delegates are involved in this exploitation.
Authors
stewie
Nikolay Ermishkin
Tavis Ormandy
wvu wvu@metasploit.com
hdm x@hdm.io
Nikolay Ermishkin
Tavis Ormandy
wvu wvu@metasploit.com
hdm x@hdm.io
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.