Skip to content

e1abrador/ImagePanick

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
lab
lab
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
generate_poc.sh
generate_poc.sh
 
 

Repository files navigation

ImagePanick

SVG-to-RCE exploit chaining ImageMagick weak default policies with Ghostscript SAFER bypass vulnerabilities.

imagepanick.mp4

Overview

A self-contained SVG file achieves arbitrary file write (and RCE) by chaining:

ImageMagick - Weak Default Policies:

  • Incomplete CR sanitization in SVG parser (\r bypasses MVG line separation)
  • Missing msl: in the protocol blacklist for the image MVG primitive

Ghostscript 10.06.0 - SAFER Bypass Vulnerabilities:

  • .tempfile adds overly broad permissions (read + write + control) to the C-level permit lists
  • renamefile allows renaming within permitted temp directories, enabling predictable filenames
  • Modern SAFER (OLDSAFER=false) does not call .locksafe, leaving device parameters modifiable

One command triggers the full chain:

magick input.svg output.png

Attack Flow

SVG with &#13; in <polyline points="...">
  |
  +-- Stage 1: Injected MVG "image" loads data:image/x-eps;base64,...
  |     +-- Ghostscript SAFER executes EPS payload:
  |           +-- .tempfile   --> creates writable file
  |           +-- writestring --> writes MSL XML payload to it
  |           +-- renamefile  --> renames to /tmp/payload.msl (known path)
  |
  +-- Stage 2: Injected MVG "image" loads msl:/tmp/payload.msl
        +-- ImageMagick executes MSL:
              +-- <write filename="png:/arbitrary/path/file.png"/>
                    +-- ARBITRARY FILE WRITE --> RCE

Docker Lab

Build

docker build -t imagepanick .

Run

docker run --rm -p 8080:80 imagepanick

PoC Generator

Generate a custom SVG payload targeting a specific OS and output path:

bash generate_poc.sh <linux|windows|mac> <output_path>

Examples

# Linux - write to web root
bash generate_poc.sh linux /var/www/html/shell.php

# Windows - write to web root
bash generate_poc.sh windows C:/inetpub/wwwroot/shell.php

# macOS - write proof file
bash generate_poc.sh mac /tmp/proof.png

The script generates /tmp/poc.svg. Trigger the exploit with:

magick /tmp/poc.svg output.png

Affected Software

Software Version Role
ImageMagick 7.1.2-13 Weak default policies
Ghostscript 10.06.0 SAFER bypass vulnerabilities

Impact

Any system processing untrusted SVGs with ImageMagick is potentially affected:

  • Web apps that resize or thumbnail SVG uploads
  • Document processing pipelines
  • CI/CD systems that process images during builds
  • Any automated SVG processing workflow

Arbitrary file write trivially escalates to RCE via ~/.bashrc, /etc/cron.d/, web-accessible directories, ~/.ssh/authorized_keys, etc.

Blog Post

Full technical writeup available at Deep Hacking.

Disclaimer

This tool is provided for authorized security testing and educational purposes only. Use it only on systems you own or have explicit permission to test. The author is not responsible for any misuse.

About

SVG-to-RCE exploit chaining ImageMagick weak default policies with Ghostscript SAFER bypass vulnerabilities.

blog.deephacking.tech/en/posts/imagepanick-from-svg-to-rce-imagemagick-ghostscript/

Topics

ghostscript imagemagick arbitrary-file-write

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages