Forum Thread: How to Exploit ImageTragick in vBulletin using BurpSuite and Metasploit

A vulnerability was found in Imagemagick where insufficient filtering for filenames passed to a delegate's command allows remote code execution during the conversion of several file formats.

Background Information

Imagemagick allows the processing of files with external libraries. This feature is called "delegate". It is implemented as a system() call with a command string ('command') from the config file delegates.xml with actual values for different parameters (input/output/filename, etc.). Because the %M parameter is insufficiently filtered, it is possible to inject shell commands. One of the default delegate commands uses the following to handle HTTPS requests:

"wget" -q -O "%o" "https:%M"

where %M is the actual link from the input. If wget or curl are installed, it is possible to pass the value "" |ls "-la" and unexpectedly execute 'ls -la'.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active