Kritische ExifTool-Schwachstelle ermöglicht Angreifern Kompromittierung von Macs durch einzelne bösartige Bilddateien

ExifTool Vulnerability The vulnerability stems from inconsistent input sanitization that allows tainted data to reach a dangerous execution sink. During their analysis, researchers identified a flaw in the SetMacOSTags function.

When ExifTool processes file creation dates on macOS, it utilizes the Spotlight system attribute MDItemFSCreationDate, which maps to the internal alias FileCreateDate. When metadata is processed, the current tag’s text content is assigned to the $val variable.

If the tag matches the file creation date attributes, this data flows directly into the SetMacOSTags function. While the filename parameter is properly escaped before hitting the system() sink, the date value ( $val ) is left completely unsanitized.

Technik und Auswirkungen

This allows an attacker to inject single quotes, breaking the command structure and executing arbitrary shell commands with the privileges of the user running ExifTool.

Payload Delivery Using ExifTool Vulnerability Directly writing a malformed date payload into FileCreateDate fails because ExifTool’s built-in PrintConvInv filter detects and rejects invalid date/time formatting.

To bypass this, attackers must leverage the -n flag, which forces ExifTool to accept raw, unformatted machine-readable data, skipping the sanitization step entirely.

Sicherheitslage und Risiko

The exploitation sequence relies on ExifTool’s copy mechanisms: Park the Payload: The attacker injects a malicious payload containing single quotes into an unrestrained source tag, such as DateTimeOriginal, using the -n flag.

Trigger the Execution: The attacker uses the -tagsFromFile feature to copy the tainted metadata from the source tag into FileCreateDate. Because the vulnerable code path only triggers during a copy operation, not a direct write this sequence successfully forces the unsanitized input into the system() sink.

ExifTool invokes the macOS /usr/bin/setfile command, and the injected single quotes allow the payload to execute seamlessly via command substitution. Following the disclosure, developers addressed the flaw in ExifTool version 13.50. The vulnerable 13.49 version relied on fragile string concatenation to build system commands.

Sicherheitslage und Risiko

The patch fundamentally alters this architecture into a dedicated System() wrapper. Instead of executing a concatenated string, the application now passes a secure list of arguments to the system call. This transition from string-form to list-form execution completely eliminates shell interpretation risks and removes the need for manual escaping routines.

Mitigations Organizations utilizing macOS for photo processing, asset management, or journalism workflows should implement the following defenses: Audit and upgrade all bulk image processing scripts and asset management applications to use ExifTool version 13.50 or later.

Scan macOS environments for third-party software that may contain older, embedded iterations of the ExifTool library. Isolate the processing of untrusted files within dedicated virtual environments that feature strictly limited storage and network access.

Enforce strict BYOD policies requiring active macOS endpoint protection before devices can access corporate networks.