CVE-2022-23935
📋 TL;DR
CVE-2022-23935 is a command injection vulnerability in ExifTool's Perl module that allows attackers to execute arbitrary commands on affected systems. The vulnerability occurs due to improper handling of file name validation in the $file =~ /\|$/ check. Any application or system using vulnerable versions of ExifTool to process untrusted image files is affected.
💻 Affected Systems
- ExifTool
📦 What is this software?
Exiftool by Exiftool Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the ExifTool process, potentially leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Local privilege escalation or remote code execution in web applications that process user-uploaded images using ExifTool.
If Mitigated
Limited impact if ExifTool runs in a sandboxed environment with minimal privileges and processes only trusted files.
🎯 Exploit Status
Proof-of-concept exploit code is publicly available in the GitHub gist references. The vulnerability is straightforward to exploit with minimal technical barriers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.38 and later
Vendor Advisory: https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582
Restart Required: No
Instructions:
1. Download ExifTool version 12.38 or later from https://exiftool.org/. 2. Replace the existing ExifTool installation with the updated version. 3. Verify the patch by checking the version with 'exiftool -ver'.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for file names before passing them to ExifTool, rejecting any names containing pipe characters or other shell metacharacters.
# Example Perl input validation
if ($filename =~ /[|;&`$\n\r]/) { die "Invalid filename" }
Run ExifTool in Restricted Environment
linuxExecute ExifTool with minimal privileges using chroot, containers, or sandboxing to limit potential damage from exploitation.
# Example using Docker
sudo docker run --rm -v $(pwd):/workdir exiftool exiftool /workdir/image.jpg
🧯 If You Can't Patch
- Disable or remove ExifTool from internet-facing systems until patching is possible.
- Implement network segmentation to isolate systems running vulnerable ExifTool versions from critical infrastructure.
🔍 How to Verify
Check if Vulnerable:
Check ExifTool version with 'exiftool -ver'. If version is lower than 12.38, the system is vulnerable.Check Version:
exiftool -verVerify Fix Applied:
After updating, run 'exiftool -ver' to confirm version is 12.38 or higher. Test with a safe proof-of-concept to ensure command injection is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual process spawns from ExifTool or Perl processes
- Error messages containing shell metacharacters in file names
- Failed command execution attempts in system logs
Network Indicators:
- Unexpected outbound connections from systems running ExifTool
- Command and control traffic patterns
SIEM Query:
Process creation where parent process contains 'exiftool' or 'perl' and command line contains shell metacharacters like |, ;, &, or `🔗 References
- https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429
- https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582
- https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429
- https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582
