in security

ImageMagick: Remote execution vulnerability (CVE-2016–3714)

Several security vulnerabilities have been recently discovered for certain ImageMagick coders. Specifically, the vulnerabilities include possible remote code execution and the ability to render files on the local system.

Vulnerabilities disclosed on Tuesday affecting ImageMagick, a widely used open source software suite for image manipulation, pertain to a wide variety of users due to the sheer number of projects that rely on the ImageMagick library. Most notably, phpBB, vBulletin, MediaWiki, and Joomla use ImageMagick by default, while other software such as WordPress and Drupal can utilize the library as a plug-in, or may be enabled by default on a third-party installation script or VM deployment image.

The collection of vulnerabilities is collectively named “ImageTragick,” which is itself a new low in the recent plague of unnecessarily named security vulnerabilities.

The primary vulnerability, designed as CVE-2016-3714, creates the potential for remote code execution, as ImageMagick fails to properly sanitize special characters from user input. In cases where a file is passed to ImageMagick—such as a PDF, Microsoft Office, or OpenDocument file—the file is handed to an external library with appropriate command line options for processing, called “delegates” in ImageMagick.

An exploit for this vulnerability is publicly available and experts say it has already been leveraged in the wild.

ImageMagick developers attempted to patch the vulnerability with the release of versions 6.9.3-9 and 7.0.1-0 on April 30, but researchers say the fix is incomplete. Another patch will be included in ImageMagick 7.0.1-1 and 6.9.3-10, which are expected to become available by this weekend.

In the meantime, users have been advised to disable vulnerable coders by modifying their policy files. Another mitigation involves verifying that magic bytes correspond to image file types before sending the file to ImageMagick for processing.

How to mitigate the vulnerability ?

source : https://imagetragick.com/

If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things:

  1. Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing.
  2. Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”.

The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>