Exploit Remote Code Execution via jQuery-File-Upload <= 9.x (ImageMagick/Ghostscript)

Author: @Ambulong

jQuery-File-Upload is the second most starred jQuery project on GitHub, after the jQuery framework itself. The project was recently reported to have a three-year-old arbitrary file upload vulnerability that was fixed in the release of v9.22.2, but another serious command execution vulnerability was found in the VulnSpy team’s review of the code, this vulnerability allows attackers to execute arbitrary system commands by uploading malicious picture files.

Notice: The old title (jQuery-File-Upload <= 9.x Remote Code Execution) had some kind of misleading, this is not really an RCE in jQuery-File-Upload. But jQuery-File-Upload make is easier to exploit, this vulnerability should be more danger than previous RCE, because not everybody use the example code, but they must to use UploadHandler.php.

The Imagick extension is used by default to verify uploaded images in the jQuery-File-Upload upload file /server/php/UploadHandler.php:

protected function get_image_size($file_path) {
    if ($this->options['image_library']) {
        if (extension_loaded('imagick')) {
            $image = new \Imagick();
            try {
                if (@$image->pingImage($file_path)) {
                    $dimensions = array($image->getImageWidth(), $image->getImageHeight());
                    $image->destroy();
                    return $dimensions;
                }
                return false;
            } catch (\Exception $e) {
                error_log($e->getMessage());
            }
        }
        if ($this->options['image_library'] === 2) {
            $cmd = $this->options['identify_bin'];
            $cmd .= ' -ping '.escapeshellarg($file_path);
            exec($cmd, $output, $error);
            if (!$error && !empty($output)) {
                // image.jpg JPEG 1920x1080 1920x1080+0+0 8-bit sRGB 465KB 0.000u 0:00.000
                $infos = preg_split('/\s+/', substr($output[0], strlen($file_path)));
                $dimensions = preg_split('/x/', $infos[2]);
                return $dimensions;
            }
            return false;
        }
    }
    if (!function_exists('getimagesize')) {
        error_log('Function not found: getimagesize');
        return false;
    }
    return @getimagesize($file_path);
}

We all know that several serious security vulnerabilities in ImageMagick has been disclosed in recent years:

• More Ghostscript Issues: Should we disable PS coders in policy.xml by default?
• CVE Request - multiple ghostscript -dSAFER sandbox problems
• CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename

Therefore, we can directly exploit the vulnerability by uploading pictures containing malicious code. The VulnSpy team has provided an online experimental environment, You can go to the following address to reproduce this vulnerability.

Online Environment: https://www.vulnspy.com/en-jquery-file-upload-below-v9.x-rce/

How to Fix

In File /server/php/UploadHandler.php, change image_library to 0:

// Set to 0 to use the GD library to scale and orient images,
// set to 1 to use imagick (if installed, falls back to GD),
// set to 2 to use the ImageMagick convert binary directly:
'image_library' => 0

Reference

• Remote code execution vulnerability in the PHP component