ImageMagick critical remote execution vulnerability – CVE-2016-3714

What is ImageTragic !! (CVE-2016-3714 )

In a vulnerable environment , image magic commands will allow remote code execution during conversion of several file formats.

Which are the platforms affected ?

As per RedHat ,  RedHat 5 , 6 and 7 platforms are affected with this vulnerability.

How to check whether your platform is affected or not ?

Create a .mvg file with the following content and run the convert command as follows. If your platform is vulnerable then the convert command will be able to list the folder contents.

# vi exploit.mvg
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context
[root@check-bug config]# convert exploit.mvg out1.png
total 172
drwxr-xr-x 2 root root  4096 May  5 04:52 .
drwxr-xr-x 4 root root  4096 Jun  2  2014 ..
-rw-r--r-- 1 root root  3447 Feb 10  2014 configure.xml
-rw-r--r-- 1 root root 11041 Feb 10  2014 delegates.xml
-rw-r--r-- 1 root root 46238 Jun 28  2009 english.xml
-rw-r--r-- 1 root root 49251 Jun 28  2009 francais.xml
-rw-r--r-- 1 root root  2403 Mar 24  2009 locale.xml
-rw-r--r-- 1 root root   369 May  5 04:42 out1.png
-rw-r--r-- 1 root root  1873 May  5 04:52 policy.xml
-rw-r--r-- 1 root root  9727 Feb 10  2014 type-ghostscript.xml
-rw-r--r-- 1 root root 13655 Feb 10  2014 type-windows.xml
-rw-r--r-- 1 root root   671 Feb 10  2014 type.xml
convert: unrecognized color `https://example.com/image.jpg"|ls "-la' @ color.c/GetColorInfo/965.
convert: no decode delegate for this image format `/tmp/magick-XXoEao8j' @ constitute.c/ReadImage/537.
convert: Non-conforming drawing primitive definition `fill' @ draw.c/DrawImage/3124.
[root@check-bug config]

How to Fix this vulnerability ?

  1. Upgrade your imagemagic packages to 6.9.3-10 or 7.0.1-1 ( As per imagemagic blog this bug patched and released in these versions : refer
  2. Apply the manual patch via policy.xml file.  Add additional policies for Imagemagic policy.xml file to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, and MSL commands within image files.

How to apply the manual patch via additional policies ?

Find policy.xml file on your distribution and add the following lines in <policymap> section of your policy.xml file.

# vi policy.xml
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>

How to verify the fix ?

After updating the policy.xml file , re run the image magic convert command . If the bug fixed properly then convert command will fail to list the directories.

[root@check-bug config]#  convert exploit.mvg out2.png
convert: not authorized `/tmp/exploit.mvg' @ constitute.c/ReadImage/425.
convert: missing an image filename `out2.png' @ convert.c/ConvertImageCommand/2800.
[root@check-bug config]#

References :-

https://access.redhat.com/security/vulnerabilities/2296071

https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=29594&hilit=CVE+2016+3714