Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Dragonfly is a library used for image tasks such creating thumbnails, text images or anything else. Dragonfly is used by Refinery CMS, which is where the vulnerability was initially discovered at.

When processing certain types of operations, the ImageMagick utility is used. When using the utility, it was possible to control two of the parameters for the binary.

The first idea is command injection. However, anything malicious, such as ||, has a denylist preventing this from occurring.

The next idea is argument injection. This is when arbitrary arguments can be added to the binary. By adding spaces to one of the commands, it was possible to add arbitrary arguments to the command. Exploiting this is specific to the binary!

A feature of ImageMagick is to convert non-image files to images. One of the ways this can be done is by reading rgb codes raw from input or a file. This turns into an arbitrary file read vulnerability; the example is used to read /etc/passwd.

A similar function can be done in reverse, from an attacker controlled web server. This takes the vulnerability from a file read to a file write!

Achieving RCE can be done in multiple ways depending on the system; an arbitrary file write vulnerability essentially means game over. Apparently, there is some part of the CMS that makes this impossible to exploit, which has to do with a security mechanism that is rarely disabled.