I started looking to see if anything else used the DjVu module, but it was only referenced by the AIFF module and no other formats referenced that one. That way even if some validation was performed on the image before being passed to ExifTool (for example ensuring that it’s a png or jpeg) then it would still work.
EXIFTOOL VIDEO TAG CODE
Having code execution by just passing an unknown file to ExifTool was pretty amazing, but what would be even better was if the bug could be trigged with a valid image in a more common format. Now I had a way that I could quickly test different combinations, which I combined by adding more print lines to display each time the $tok was modified. block with DJVIANTa\x00\x00\x00!(metadata (Author "Phil Harvey")), re-ran exiftool, and the author tag was extracted and displayed! The Bug I edited the file replacing the DJVIANTz. So the metadata format seems to be bracket indented starting with metadata and followed by tag name and quoted value pairs. (xmp "\n\n \n Must escape double quotes (') and backslashes (\\)\n \n\n \n \n \n Phil Harvey\n \n \n \n \n ExifTool DjVu test image\n \n \n \n \n Copyright 2008 Phil Harvey\n \n \n \n \n ExifTool\n Test\n DjVu\n XMP\n \n \n \n \n DjVu Metadata Sample\n \n \n \n\n \n ExifTool, Test, DjVu, XMP\n djvused\n /Unknown\n \n\n \n T12:31:34-04:00\n ExifTool\n T09:17:10-05:00\n \n") (note "Must escape double quotes (\") and backslashes (\\)") I added a print($$dataPt) to the ProcessAnt method and ran exiftool on the djvu image and the following was printed out: Since that corresponded to the remaining number of bytes in the file, it was most likely the length of the tag. There was the string DJVIANTz followed by the hex 000002E0. Looking at the file in a hex editor, the format seemed fairly simple. Luckily there was an example DjVu.djvu image, but unfortunately, it was using the compressed version of the chunk ANTz instead of the text ANTa. To try out a few things, I wanted to be able to hit the ParseAnt from an image. The special characters being escaped were trying to prevent any string interpolation or breaking out of the double quotes when the eval was run. From the comments, this was done to support C escape sequences, which I guess are similar in Perl. There was then some regex to escape special characters before passing it quoted to qq and then finally passing the result to eval. It would build up a string until another quote was found, taking into account quotes escaped with a backslash. #- # Parse DjVu annotation "s-expression" syntax (recursively) # Inputs: 0) data ref (with pos($$dataPt) set to start of annotation) # Returns: reference to list of tokens/references, or undef if no tokens, # and the position in $$dataPt is set to end of last token # Notes: The DjVu annotation syntax is not well documented, so I make # a number of assumptions here! sub ParseAnt ($) One of these was located in the ParseAnt method of the DjVu module: Ignoring all the eval blocks, there were still a fair few interesting results. In Perl, eval can be used with a block to trap exceptions which is why it was being used everywhere. I then looked for places that called eval, and it turned out that it was used a lot: I started looking for places that performed file access but without much success.
It turns out that it is written in Perl! I’ve never really used or reviewed Perl code before, but being a dynamic scripting language the majority of the general concepts were familiar.
An older version was being used (11.70), so I thought maybe there could be some existing CVEs that could be abused, as parsing file formats is hard.Ī quick search showed only one old CVE from 2018, so decided to look at the source instead. I’d used ExifTool numerous times in the past but didn’t even know what language it was written in.
From here you can copy a tag and paste it into a method of choice.Īt the time of writing ExifTool supports the following file formats: 3FRģrd Gen.While looking at one of my favourite bug bounty programs, I noticed they were using ExifTool to strip tags from uploaded images. Tag values can get investigated by selecting a file and clicking the ExifTool button in the Fileinfo box. ExifTool supports both more formats and more tags which can be used to mass rename files through Advanced Renamer.
EXIFTOOL VIDEO TAG ZIP
ExifTool is a program by Phil Harvey ( ) distributed with Advanced Renamer to create support for more file formats like raw camera files, documents, zip files etc.
0 kommentar(er)
