Skip to content

Potential harmful printing of binary Exif metadata in terminal

Description

Mat2 prints binary values of Exif metadata fields on the terminal (mat2 --show).

Depending on the used terminal emulator, this can mess up the terminal settings or execute code. (Reference: https://security.stackexchange.com/questions/56307/can-cat-ing-a-file-be-a-potential-security-risk).

Exploit (Code Execution):

Here is an example JPG file with binary data in the comment field: Binary_data_in_Exif_Comment

In rxvt-unicode (urxvt) v9.22 showing the metadata of that file with mat2 --show results in the following:

[user:/tmp] % mat2 --show Binary_data_in_Exif_Comment.jpg 
[+] Metadata for Binary_data_in_Exif_Comment.jpg:
  Comment: 
^[G0
[user:/tmp] % 0
bash: command not found: 0

In this case, the binary 0 does not exist in the system, however, it would have been executed without any user interaction if it had existed.

Suggested Fix

Filter or replace all non-printable characters of metadata before printing.

System information

  • MAT2 0.4.0
  • perl-image-exiftool 11.11
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information