ImageMagick Remote Code Execution Vulnerability

ImageMagick is a famous library open to process images, which supports many language (Perl, C++, PHP, Python, Ruby) and is used in millions of websites, including blogs, forums and CMS like Drupal or WordPress code.

Nikolay Ermishkin of Mail.Ru security team recently discovered multiple vulnerabilities (CVE-2016-3714 CVE-2016-3717) and notified developers that ImageMagick 6.9.3-9 tried to correct it in the version published on April 30 .

The exploit for this vulnerability is being used publicly vulnerabilities are:

  • CVE-2016-3714 – Insufficient filtering leads to shell characters (Potentially remote) code execution  

  • CVE-2016-3718 – SSRF – It is possible to GET HTTP or FTP requests.

  • CVE-2016-3715 – Delete files

  • CVE-2016-3716 – Move files

  • CVE-2016-3717 – Read local files. Reported by the original author of bug

An attacker create an exploit file and assign it an image extension, such as .png, in order to bypass the targeted site’s file type checks. They can upload the malformed images in an webserver that use ImageMagick processing libraries . Once magicbytes detect that it is not an actual .png, ImageMagick converts the file and the malicious code is executed in the process, allowing the attacker to gain access to the targeted server.

 Yahoo has awarded  California-based researcher Behrouz Sadeghipour $2000 for discovery of  ImageMagick vulnerability resides on  Polyvore, a community-powered social commerce website acquired by the yahoo last year. Yahoo was notified on May 4 and patched the vulnerability within three hours.


Proof of concept:


How to mitigate the vulnerability

Patches that completely address the flaws are not yet available.It is recommend to do these two things to mitigate these vulnerabilities :

1.Verify that magic bytes corresponding to the image file is as expected before sending them to magic trick for processing.

2.Add  the following code to the ImageMagick policy.xml file to disable the vulnerable Imagemagick coders.

  <Policy domain = "coder" rights = "none" pattern = "EPHEMERAL" />
  <Policy domain = "coder" rights = "none" pattern = "URL" />
  <Policy domain = "coder" rights = "none" pattern = "HTTPS" />
  <Policy domain = "coder" rights = "none" pattern = "MVG" />
  <Policy domain = "coder" rights = "none" pattern = "MSL" />
</ Policymap>

Leave a Reply

Your email address will not be published. Required fields are marked *


four × four =