Are images identified based on magic bytes? (wrt the new ImageMagick exploit)

Started by tim-kos, May 04, 2016, 05:19:49 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

tim-kos

May 04, 2016, 05:19:49 AM
Hey Phil, hey gents,

You have probably heard of the new ImageMagick exploit: https://imagetragick.com/

In our app we run all file paths through exiftool to have their mime type identified. If the mime type is a valid image mime type, only then do we pass it to ImageMagick.

My question is: How does exiftool identify the mime type for an image file? Does it use the magic bytes test (one of the two advertised workarounds to the exploit)? If so, then we would have implemented one of the two workarounds already simply by using exiftool. Or does exiftool look primarily on the file extension to derive the mime type from it?

If the magic bytes test is used, would exiftool return application/octetstream for images that contain malicious code and/or that do not pass the magic bytes test?

Thank you in advance!

Phil Harvey

#1
May 04, 2016, 07:23:10 AM
ExifTool parses the start of the file to determine the file type.  For most types this is just a magic number test as you mentioned, but for some types without a magic number some processing is required.  Exiftool uses the extension only as a clue to the particular variety of file when there are multiple file types with the same format (eg. ASF/WMV/WMA/DIVX or DOC/PPT/XLA).

If the file is not recognized, then no MIMEType is returned and ExifTool gives an "Unknown file type" error.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

tim-kos

#2
May 04, 2016, 07:55:58 AM
Thank you for the speedy reply. Mucho appreciated. :)
Print
Go Up Pages1
User actions