from Hacker News

Remote Code Execution in ImageMagick (CVE-2016–3714)

by jwise0 on 5/3/16, 5:03 PM with 8 comments

• by asteadman on 5/3/16, 7:00 PM

  I assume Lambda is affected? According to http://docs.aws.amazon.com/lambda/latest/dg/current-supporte..., Lambda functions have access to ImageMagick-6.7.8.9. I'm not sure how you can specify a policy file in such an environment.

• by michaelmcmillan on 5/3/16, 7:22 PM

  https://github.com/ImageMagick/ImageMagick/commit/e93e339c0a...

• by chatmasta on 5/3/16, 6:41 PM

  The article doesn't reveal much, but judging from the list of vulnerable coders and the fact that the Imagemagick forum post references the delegates.xml file, I imagine the exploit allows users to create their own delegate [0], then upload an image that causes that delegate to be called. My guess is that the exploit is two parts: 1) appending a line to the delegates.xml file by exploiting a vulnerable coder, and 2) exploiting the custom delegate you create.

  Delegates seem very dangerous and there's all sorts of ways to exploit a custom delegate.

  I'm surprised we haven't seen more Imagemagick vulnerabilities... it's a really old library with a massive codebase supporting tons of file formats and arbitrary command chaining. And it's often called by higher level languages via functions like `system()` or `shell()` where developers could easily neglect to "properly sanitize" user inputs, since what those "inputs" can be is so wide ranging.

  [0] http://www.imagemagick.org/Usage/files/#delegates

  EDIT:

  Looks like I was right... check out this commit from 3 days ago:

  https://github.com/ImageMagick/ImageMagick/commit/06c41aba39...

  "Sanitize input filename for http / https delegates"

  So presumably the attack is to set the "filename" property of a file such that when including '%f' in a command, the filename breaks the shell command and inserts its own arbitrary code.

  EDIT 2:

  A reddit user also linked to this critical line: https://github.com/ImageMagick/ImageMagick/blob/e93e339c0a44...

  So the process would be something like this:

  1) Create file with name e.g. evilserver.com/funnycat';rm-rf/;.gif hosted on remote server

  2) Somehow instruct vulnerable imagemagick install to download evilserver.com/funnycat';rm-rf/;.gif

  3) Assume 99% chance that the render command on server will include %f, which is unsanitized, and will cause rm -rf / to execute

  I'm a bit confused on step (2)... how do you tell imagemagick to download a file? Will this only affect installations that are explicitly downloading untrusted URLs from users? Like if imgur "upload via URL" fed the URL directly to imagemagick, it would be vulnerable...