CVE-2021-33564
published 2021-05-29CVE-2021-33564: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.25%
99.4th percentile
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dragonfly_project | dragonfly | < 1.4.0 | 1.4.0 |
| dragonfly_project | dragonfly | >= 0 < 1.4.0 | 1.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/system/images/W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==↗
url/system/refinery/images/W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==↗
yara
rule CVE_2021_33564_Dragonfly_RCE { strings: $b64_path1 = "W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==" condition: $b64_path1 }- →Detect exploitation attempts by matching the base64-encoded payload in HTTP GET request paths targeting /system/images/ or /system/refinery/images/ endpoints. The payload decodes to a Dragonfly 'generate' job invoking ImageMagick convert with arbitrary arguments.
- →A successful exploitation response will contain the /etc/passwd file content. Match HTTP 200 responses with the regex pattern 'root:.*:0:0:' in the body to confirm RCE/file-read.
- →The vulnerability is triggered via crafted URL parameters passed to the Dragonfly generate/process features when verify_url is disabled, causing argument injection into the ImageMagick convert utility.
- →Monitor for HTTP GET requests to /system/images/ or /system/refinery/images/ paths containing long base64-encoded strings that decode to JSON arrays starting with 'g' (generate) or 'p' (process) job types followed by 'convert' as the processor name.
- ·The vulnerability only exists when the verify_url option is disabled in the Dragonfly configuration. Installations with verify_url enabled are not affected by this attack vector.
- ·Affected versions are Dragonfly gem before 1.4.0 for Ruby. The fix was introduced in v1.4.0; ensure the gem is updated to at least this version.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dragonfly contains remote code execution vulnerability
ghsa·2021-06-02
CVE-2021-33564 [CRITICAL] CWE-88 Dragonfly contains remote code execution vulnerability
Dragonfly contains remote code execution vulnerability
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the `verify_url` option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
OSV
Dragonfly contains remote code execution vulnerability
osv·2021-06-02
CVE-2021-33564 [CRITICAL] Dragonfly contains remote code execution vulnerability
Dragonfly contains remote code execution vulnerability
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the `verify_url` option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
VulnCheck
dragonfly_project dragonfly Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-33564 [CRITICAL] dragonfly_project dragonfly Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
dragonfly_project dragonfly Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
Affected: dragonfly_project dragonfly
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-202
No detection rules found.
Nuclei
Ruby Dragonfly <1.4.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-33564 [CRITICAL] Ruby Dragonfly <1.4.0 - Remote Code Execution
Ruby Dragonfly <1.4.0 - Remote Code Execution
Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
Template:
id: CVE-2021-33564
info:
name: Ruby Dragonfly <1.4.0 - Remote Code Execution
author: 0xsapra
severity: critical
description: Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0https://github.com/markevans/dragonfly/issues/513https://github.com/mlr0p/CVE-2021-33564https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-33564.yamlhttps://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0https://github.com/markevans/dragonfly/issues/513https://github.com/mlr0p/CVE-2021-33564https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-33564.yamlhttps://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
2021-05-29
Published
Exploited in the wild