CVE CyberSecurity Database News

CVE-2023-34153 - Shell Command Injection in ImageMagick via Video Options (Easy Guide & Exploit Details)

Poster -

ImageMagick is a super popular tool used by web developers, graphic designers, and application platforms for editing, converting, and generating images and videos. But what if attackers can take control of the server every time someone processes a video?

That’s exactly the risk with CVE-2023-34153, a recently discovered major security vulnerability in ImageMagick’s video handling capabilities. This long read will break down:

What is CVE-2023-34153?

CVE-2023-34153 refers to a dangerous Shell Command Injection hole in ImageMagick, triggered when processing videos and using the video:vsync or video:pixel-format options. If an attacker can control these parameters, they can execute arbitrary shell commands on the server — basically a backdoor for hackers.

Where’s the Problem?

This bug exists in how ImageMagick builds the output options for the underlying FFmpeg (or similar) commands used to handle video encoding and decoding. Unsanitized user input gets directly inserted into shell commands, allowing harmful code to sneak in.

Who’s Affected?

- Any server, cloud service, or app using ImageMagick (or wrappers like PHP Imagick, Node.js imagemagick, etc.) that processes videos and allows user-supplied options.

The Vulnerability Explained (with Example)

Let’s look at a real-world scenario. Suppose your app lets users upload videos and choose certain “conversion options”–innocent enough, right?

But if an attacker uploads a file and sets a malicious video:vsync parameter like this

"; touch /tmp/pwned; echo "

ImageMagick may construct a shell command like

ffmpeg -i input.mov -vsync "; touch /tmp/pwned; echo " output.mp4

Here ; touch /tmp/pwned; gets executed as a real shell command, creating the file /tmp/pwned. Replace touch with nearly any command, and the attacker can own your server.

If you use command-line tools like

convert input.mov -set "option:video:vsync" "; bash -c 'id > /tmp/owned' ; echo " output.gif

Or, using APIs or uploads

// Using Imagick in PHP (vulnerable code)
$imagick = new Imagick();
$imagick->readImage('upload.mov');
$imagick->setOption('video:vsync', '; bash -c "id > /tmp/owned"; echo ');
$imagick->writeImages('export.gif', true);

If your web service ever sets video:vsync based on user input – and you’re using a vulnerable ImageMagick version – the above code will write the result of id to /tmp/owned on your server.

References & Technical Resources

- CVE-2023-34153 at NIST NVD
- Original Bug Report (GitHub, ImageMagick)
- Detailed Advisory at oss-security
- ImageMagick Security Policy Docs
- Patch/Commit Fix

Update ImageMagick!

Upgrade to the latest version (≥ 7.1.1-10 or whatever is current), as the fix was merged in June 2023.
2. Review Your Code/API Usage:  
  NEVER let user input go directly into video:vsync, video:pixel-format, or any ffmpeg parameters. Sanitize or whitelist all options.

Apply ImageMagick Security Policies:

Restrict risky options using policy.xml.

Least Privilege:

Run all image/video processing in accounts/containers with minimal access.

CVE-2023-34153 is a critical shell injection bug in ImageMagick’s video options.

- Attackers can execute shell code on your server if you pass untrusted input to options like video:vsync or video:pixel-format.
- Patch your ImageMagick ASAP, scrub user inputs, and audit your image/video handling stack.

If you process videos using ImageMagick, double-check your defenses NOW, or risk getting owned.

*If you have questions about this bug or want a security review for your applications, reach out to your security vendor or drop a line in the ImageMagick GitHub discussions.*

Timeline

Published on: 05/30/2023 22:15:00 UTC
Last modified on: 06/07/2023 14:27:00 UTC