Artificial Stupidity: Exaggerated in some of FlatOut 3's game modes.100% Completion: The game helpfully displays your percent-completion rate.This looks promising! If we can do multiplications, we have broken out of the double quotes and can execute Perl code. The warning informs us that our eval tried to do a multiplication of a newline character with something. After minimizing the crash file, we end up with the following annotation data: (xmp "\Īrgument "\n" isn't numeric in multiplication (*) at (eval 8) line 1. In my opinion, the last crash is the easiest to understand and ultimately helped me the most in recreating the exploit, so it seems like a good place to start.
" isn\'t numeric in multiplication (*) at (eval 8) line 1.\n' Nevertheless, it starts to produce interesting errors within a couple minutes: This fuzzer is not very sophisticated 2, and will only get a couple execs per second. Now all that’s left is to call this function over and over again until we get interesting output. # If Exiftool returned a warning, print the fuzz case that caused it. Return False # Parse the DjVu file with Exiftool p = Popen(, stdout =PIPE, stderr =PIPE) # djvumake would sometimes get stuck, so I added a small timeout. # Embed it in a new DjVu file p = Popen([ "djvumake", "fuzz.djvu", "INFO=0,0", "BGjp=/dev/null", # Create an annotation file with open( "fuzz-annotation.txt", "wb") as ant_file: +* \n " # Pick some random characters to insert into our template. # Special characters that may hit edge cases. With this information, we can build the following template string: Beyond that, we need some kind of payload in the middle, followed by some additional escape characters as a suffix. We know it has to start with (xmp " to trigger the eval we’re interested in. Can we make a fuzzer pop calc? #įirst, let’s reason about what our payload must look like. Instead, I made a simple Python fuzzer to find the escape. As a Perl noob, I struggled to find a filter bypass manually.
If you’re familiar with Perl, you may be able to spot the bug directly. # find the next token last unless $$dataPt =~ /(\S)/sg # get next non-space character if ($1 eq '(') The contents of the file don’t really matter, we just care about the attached metadata.įirst, we create a text file with these contents: To create a DjVu file, we’ll be using the DjVu Libre suite on Linux. It is not very commonly used, but it has a number of different annotation and metadata fields that Exiftool can parse.
Patched security vulnerability in DjVu readerĪrmed with this information, we can examine the git diff between version 12.23 and version 12.24. We’ll find exactly one entry about a security issue that got fixed in this release. Let’s start by looking at the release notes for the patched version (12.24).
#Perl exiftool Patch#
Proof of concept code for the exploit wasn’t public yet 1, so I set out to reverse the security patch and find a way to exploit it.
#Perl exiftool software#
This piqued my interest, as Exiftool is not only really common in CTF challenges, but also used in tons of software that needs to display Exif data. The tweet shows how running Exiftool on a simple image causes arbitrary code execution.
#Perl exiftool mp4#
In the early moring of the 24th of April, an interesting exploit popped up on my Twitter feed:Īnyone using ExifTool make sure to update to 12.24+ as CVE-2021-22204 can be triggered with a perfectly valid image (jpg, tiff, mp4 and many more) leading to arbitrary code execution! /VDoybw07f5- William Bowling April 24, 2021
0 kommentar(er)
