ImagePanick From SVG to RCE Chaining Weak Policies and Bugs ...#2195
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
ImagePanick From SVG to RCE Chaining Weak Policies and Bugs ...#2195carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://blog.deephacking.tech/en/posts/imagepanick-from-svg-to-rce-imagemagick-ghostscript/ Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> File Upload / File Processing RCE (or Network Services Pentesting -> Pentesting Web -> ImageMagick Security) with a subsection on SVG->MVG injection and Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
msl:abuse; cross-reference to Ghostscript/EPS delegate abuse🎯 Content Summary
Title: ImagePanick — chaining ImageMagick weak defaults + Ghostscript 10.06.0 SAFER bypasses from a single SVG to arbitrary file write and practical RCE.
What the post demonstrates (end-to-end): A self-contained SVG (no external network fetches) can be processed by a typical backend image pipeline and, with a single default command:
🔧 Technical Details
CR-based MVG command injection in SVG-to-MVG pipelines: If an application converts SVG into an intermediate scripting language (like ImageMagick’s MVG) and sanitizes only LF (
\n) but not CR (\r), attackers can inject new script lines by embedding CR as an XML character reference ( ) inside an SVG attribute that is copied into the script (e.g.,<polyline points="... INJECT... ..."/>). Because the script parser treats CR as a line separator, the generated script becomes attacker-controlled multi-line input, enabling injection of powerful primitives such as MVGimage Over X,Y W,H 'URL'.Protocol-handler abuse via incomplete scheme blacklists: When a graphics scripting primitive accepts a URL and only blocks a subset of schemes (e.g., blocks
http/httpsbut misses internal schemes), attackers can pivot to less obvious built-in schemes....🤖 Agent Actions
I’m mapping the existing HackTricks structure first, then I’ll read the closest ImageMagick/Ghostscript/file-upload pages to decide whether this belongs in an existing page or not.
I found the main candidate as
src/pentesting-web/file-upload/README.md, but I’m checking whether there’s already a more specific ImageMagick/Ghostscript page so the new technique lands in the narrowest existing place.The repo already has a dedicated
ImageMagick Securitypage, which is narrower and better than the generic file-upload page for this chain. I’m now checking whether it already covers this SVG→MVG→MSL→Ghostscript pattern or if I should add a concise new section there.There is older ImageTragick material elsewhere in the repo, so I’m comparing it against the new chain to avoid re-adding generic MVG abuse that HackTricks already has. The key question is whether the CR-based SVG injection plus
msl:second stage is new relative to existing coverage.I’ve confirmed there isn’t existing text for this exact chain (
/CR injection,msl:gap, Ghostscript.tempfile+renamefile). I’m fetching the linked PoC/readme directly now so the new section can stay precise and avoid overclaiming beyond the published repro.I’ve got enough context to patch the dedicated ImageMagick page now. The edit will add only the novel parts of this chain: CR-based SVG→MVG injection,
msl:second-stage execution, the Ghostscript delegate file-dropper pattern, and concrete hardening checks.The edit is in place. I’m doing a final pass on the rendered markdown structure and git diff now to catch formatting issues, duplicate ideas, or a broken references tail before I stop.
Updated imagemagick-security.md. I kept the change in a single file and added the missing technical content from the ImagePanick writeup: CR-based SVG→MVG injection with
,msl:second-stage execution, Ghostscript delegate-assisted MSL dropping via.tempfile+renamefile, quick triage commands, and concrete hardening guidance. I also fixed the malformed existing reference entry and added the blog plus PoC repo to the References section.I chose the dedicated ImageMagick page instead of the generic upload page because the technique is specifically about ImageMagick/Ghostscript internals, and HackTricks already surfaces that page from the web methodology. Verified the final diff, confirmed the internal Ghostscript cross-reference resolves, and only this file was modified. I did not run a full book build.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.