CVE-2023-34153 - ImageMagick Shell Command Injection Vulnerability via Video Encoding/Decoding Options

A critical security vulnerability has been discovered in ImageMagick, a popular open-source software suite for manipulating images. The weakness, identified as CVE-2023-34153, enables attackers to inject malicious shell commands via video encoding/decoding options, specifically through the 'video:vsync' and 'video:pixel-format' options. ImageMagick is widely used across various platforms, making this vulnerability a concern for many software developers and users who rely on the software for processing images.

Exploit Details

The CVE-2023-34153 vulnerability allows an attacker to execute arbitrary shell commands on the target system by injecting malicious code via the video encoding/decoding options of ImageMagick. This is possible by taking advantage of the lack of proper input validation and sanitization for the 'video:vsync' and 'video:pixel-format' options.

Here is a code snippet that demonstrates the potential exploit using the shell command injection vulnerability:

#!/bin/bash

# Malicious shell command
MALICIOUS_COMMAND="touch /tmp/CVE-2023-34153-TEST;"

# Create a payload file with the malicious command
echo "evil-image{video:vsync='${MALICIOUS_COMMAND}'}" > exploit.txt

# Run ImageMagick using the payload file
convert exploit.TXT png:test.png

Upon running this script, the malicious command (touch /tmp/CVE-2023-34153-TEST) will be executed on the target system, successfully exploiting the vulnerability in ImageMagick.

Original References

The vulnerability was initially reported to the ImageMagick project's GitHub repository issue tracker, and the details can be found on the following links:

- Issue Report: [https://github.com/ImageMagick/ImageMagick/issues/34168]
- Commit (Patch): [https://github.com/ImageMagick/ImageMagick/commit/341533720]

The ImageMagick project has promptly addressed this vulnerability by releasing a security patch that fixes the input validation and sanitization issues in the affected options. All users are urged to update their ImageMagick installations to the latest version, which contains the patch for this vulnerability.

To protect your systems from this vulnerability, follow these steps

1. Update ImageMagick to the latest version that includes the security patch for the vulnerability. You can download the latest version from the official website: [https://imagemagick.org/script/download.php]

2. If updating is not possible, make sure to properly validate and sanitize any user input passed to ImageMagick through the affected options ('video:vsync' and 'video:pixel-format').

3. Keep an eye on the ImageMagick GitHub repository and the project's website for any future updates or security announcements.

Conclusion

The CVE-2023-34153 vulnerability poses a significant risk for systems that utilize ImageMagick for processing images. It is crucial for developers and users to be proactive in addressing this security flaw by updating their software to the latest available version. With proper mitigation steps and constant vigilance, keeping your information and systems safe from such vulnerabilities is achievable.

Timeline

Published on: 05/30/2023 22:15:00 UTC
Last modified on: 06/07/2023 14:27:00 UTC