There are a few binaries that wind up running in a bunch of places, silently do their jobs, and being easily forgotten about. ImageMagick is used on many servers for image conversion and resizing, and tends to run automatically on uploaded images. Easily forgotten, runs automatically, and with arbitrary inputs. Yep, perfect target for vulnerability hunting. And the good folks at Metabase found two of them.
First up is CVE-2022-44267, a Denial of Service, when ImageMagick tries to process a rigged PNG that contains a textual chunk. This data type is usually used for metadata, and can include a profile entry for something like EXIF data. If this tag is specified inside a text chunk, ImageMagick looks to the given value as a filename for finding that profile data. And notably, if that value is a dash -, it tries to read from standard input. If the server’s image processing flow doesn’t account for that quirk, and virtually none of them likely do, this means the ImageMagick process hangs forever, waiting for the end of input. So while that’s not usually a critical problem, it could be used for a resource exhaustion attack.
But the real problem is CVE-2022-44268. It’s the same trick, but instead of using - to indicate standard input, the processed image refers to a file on the server filesystem. If the file exists, and can be read, the contents are included in the image output. If the attacker has access to the image, it’s a slick data leak — and obviously a real security problem. If a server doesn’t have tight file permissions and isolation, there’s plenty of sensitive information to be found and abused.
The fix landed back in October 2022, and was part of the 7.1.0-52 release. There’s a bit of uncertainty about which versions are vulnerable, but I wouldn’t trust anything older than that version. It’s a pretty straightforward flaw to understand and exploit, so there’s a decent chance somebody figured it out before now. The file exfiltration attack is the one to watch out for. It looks like there’s an Indicator of Compromise (IoC) for those output PNGs: “Raw profile type”. Continue reading “This Week In Security: ImageMagick, VBulletin, And Dota 2”→
A PoC was just published for a potentially serious flaw in the Ghostscript interpreter. Ghostscript can load Postscript, PDF, and SVG, and it has a feature from Postscript that has been a continual security issue: the %pipe% command. This command requests the interpreter to spawn a new process — It’s RCE as part of the spec. This is obviously a problem for untrusted images and documents, and Ghostscript has fixed security vulnerabilities around this mis-feature several times over the years.
This particular vulnerability was discovered by [Emil Lerner], and described at ZeroNights X. That talk is available, but in Russian. The issue seems to be a bypass of sorts, where the pipe command appears to be working in the /tmp/ directory, but a simple semicolon allows for an arbitrary command to be executed. Now why is this a big deal? Because ImageMagick uses Ghostscript to open SVG images by default on some distributions, and ImageMagick is often used for automatically resizing and converting images for web sites. In [Emil]’s presentation, he uses this flaw as part of an attack chain against three different companies.
I was unable to reproduce the flaw on my Fedora install, but I haven’t found any notice of it being fixed in the Ghostscript or Imagemagick changelogs either. It’s unclear if this problem has already been fixed, or if this is a true 0-day for some platforms. Either way, expect attackers to start trying to make use of it.
Whatever his motives are, we have to admit that the end result is very nice. Especially when you find out that there’s no complex hardware or software at work here. An original Raspberry Pi is doing all the heavy lifting by pulling a frame from the external IP camera using ffmpeg, polling the I2C-connected BME280 temperature and humidity sensor with a Python script, and then producing a final snapshot with the environmental data laid over top using ImageMagick.
[Danilo] gives the exact commands he’s using for each step of the process, making it easy to follow along and see how everything comes together in the end. That also makes it much easier to adapt for your own purposes should you feel so inclined. Once you see how all the pieces fit together, where the data and images come from is up to you.
What an interesting way to show a year: Norwegian hacker [Erikso] created a condensed timelapse that shows a year in a single photo. He had taken a timelapse of the view from his living room window in the frozen north every day during 2010, using a camera that was locked in place taking an image every 30 minutes. Then, with the help of some hacker friends, he came up with a script that slices these images up and combines them so that each day is represented by a vertical slice. The result is a gorgeous image that gives a wonderful sense of the seasons, and how that affects the trees. You can see the leaves grow and fall, and the snow on the ground come, go and come again.
The image capture rig is similar to turntable photography setups that allow you to construct animated GIF files or 3D models of objects. The subject is places on a stepper motor which allows precise control when rotating the object between frames. The EiBotBoard (which we’ve seen in at least one other project) is designed for the EggBot printer. But it is used here to interface the motor and capture equipment with the Raspberry Pi.
We’re a little uncertain if the RPi actually handles the image manipulation. The project uses ImageMagick, which will certainly run on the RPi. There is a mention of the Raspberry Pi camera joing the rig as a future improvement so we do expect to see a fully-automatic revision at some point.
This is a Raspberry Pi outfitted in a DSLR battery grip. [Dave H] was very interested in the idea of combining a single-board computer with a high-end camera. The size and cost of such a computer was prohibitive until the RPi came along. He managed to fit the board into the broken battery grip he had on hand, and he already has the prototype up and running.
[Dave’s] alterations to the battery grip allow access to the USB, Ethernet, and Composite video ports. Powering the RPi was a bit of a challenge. He tried using an iPhone charger with four AA batteries but that only provided 4.2V. After going back to the drawing board he discovered he could rework the parts that he removed from the grip, using a Cannon 7.2V 1800 mAh battery. So far he can automatically pull images from the Camera and transmit them over a network connection. But since the RPi is running Linux, there’s a whole world of hacks just waiting to be exploited. What comes to mind first is image manipulation software (like ImageMagick) which has a command-line interface.
[Daniel Paluska] is getting away from the point-and-click by editing videos from the command line. Using the free open source software packages FFmpeg, Imagemagick, and Sox he produces new clips from multiple videos with effects like overlaying, slicing, and assigning each video to a different quadrant. The last option would be useful for displaying different angled shots of the same thing all at once but we’re sure you can find a way to use them all. He is using shell scripts to automate some of the process but the commands are still easy enough to understand if this is your first foray into these tools. After all, great video production will go a long way toward becoming an Internet sensation.