FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ImageMagick -- multiple vulnerabilities

Affected packages
ImageMagick < 6.9.3.9_1,1
ImageMagick-nox11 < 6.9.3.9_1,1
7.0.0.0.b20150715 <= ImageMagick7 < 7.0.1.0_1
7.0.0.0.b20150715 <= ImageMagick7-nox11 < 7.0.1.0_1

Details

VuXML ID 0d724b05-687f-4527-9c03-af34d3b094ec
Discovery 2016-05-03
Entry 2016-05-06
Modified 2016-05-07

Openwall reports:

Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. Any service which uses ImageMagick to process user supplied images and uses default delegates.xml / policy.xml, may be vulnerable to this issue.

It is possible to make ImageMagick perform a HTTP GET or FTP request

It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading.

It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol. msl.txt and image.gif should exist in known location - /tmp/ for PoC (in real life it may be web service written in PHP, which allows to upload raw txt files and process images with ImageMagick).

It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol.

References

CVE Name CVE-2016-3714
CVE Name CVE-2016-3715
CVE Name CVE-2016-3716
CVE Name CVE-2016-3717
CVE Name CVE-2016-3718
URL http://www.openwall.com/lists/oss-security/2016/05/03/18
URL https://imagetragick.com/