FollowWhat is ImageTragic !! (CVE-2016-3714 )
In a vulnerable environment , image magic commands will allow remote code execution during conversion of several file formats.
Which are the platforms affected ?
As per RedHat , RedHat 5 , 6 and 7 platforms are affected with this vulnerability.
How to check whether your platform is affected or not ?
Create a .mvg file with the following content and run the convert command as follows. If your platform is vulnerable then the convert command will be able to list the folder contents.
# vi exploit.mvg
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context[[email protected] config]# convert exploit.mvg out1.png
total 172
drwxr-xr-x 2 root root 4096 May 5 04:52 .
drwxr-xr-x 4 root root 4096 Jun 2 2014 ..
-rw-r--r-- 1 root root 3447 Feb 10 2014 configure.xml
-rw-r--r-- 1 root root 11041 Feb 10 2014 delegates.xml
-rw-r--r-- 1 root root 46238 Jun 28 2009 english.xml
-rw-r--r-- 1 root root 49251 Jun 28 2009 francais.xml
-rw-r--r-- 1 root root 2403 Mar 24 2009 locale.xml
-rw-r--r-- 1 root root 369 May 5 04:42 out1.png
-rw-r--r-- 1 root root 1873 May 5 04:52 policy.xml
-rw-r--r-- 1 root root 9727 Feb 10 2014 type-ghostscript.xml
-rw-r--r-- 1 root root 13655 Feb 10 2014 type-windows.xml
-rw-r--r-- 1 root root 671 Feb 10 2014 type.xml
convert: unrecognized color `https://example.com/image.jpg"|ls "-la' @ color.c/GetColorInfo/965.
convert: no decode delegate for this image format `/tmp/magick-XXoEao8j' @ constitute.c/ReadImage/537.
convert: Non-conforming drawing primitive definition `fill' @ draw.c/DrawImage/3124.
[[email protected] config]How to Fix this vulnerability ?
- Upgrade your imagemagic packages to 6.9.3-10 or 7.0.1-1 ( As per imagemagic blog this bug patched and released in these versions : refer
- Apply the manual patch via policy.xml file. Add additional policies for Imagemagic policy.xml file to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, and MSL commands within image files.
How to apply the manual patch via additional policies ?
Find policy.xml file on your distribution and add the following lines in <policymap> section of your policy.xml file.
# vi policy.xml
<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="HTTP" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="FTP" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>How to verify the fix ?
After updating the policy.xml file , re run the image magic convert command . If the bug fixed properly then convert command will fail to list the directories.
[[email protected] config]# convert exploit.mvg out2.png
convert: not authorized `/tmp/exploit.mvg' @ constitute.c/ReadImage/425.
convert: missing an image filename `out2.png' @ convert.c/ConvertImageCommand/2800.
[[email protected] config]#References :-
https://access.redhat.com/security/vulnerabilities/2296071
https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=29594&hilit=CVE+2016+3714
Recent Comments