CVE-2016-3714: ImageMagick Improper Input Validation Vulnerability
First published: Tue May 03 2016(Updated: )
A vulnerability was found in ImageMagick. Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate's command is used to handle https requests: "wget" -q -O "%o" "https:%M" where %M is the actual link from the input. It is possible to pass the value like `<a href="https://example.com">https://example.com</a>"|ls "-la` and execute unexpected 'ls -la'. (wget or curl should be installed).
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ImageMagick ImageMagick | <=6.9.3-9 | |
| ImageMagick ImageMagick | =7.0.0-0 | |
| ImageMagick ImageMagick | =7.0.1-0 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =15.10 | |
| Canonical Ubuntu Linux | =16.04 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| openSUSE Leap | =42.1 | |
| openSUSE openSUSE | =13.2 | |
| SUSE SUSE Linux Enterprise Server | =12 | |
| ImageMagick ImageMagick |
Remedy
http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html
- http://packetstormsecurity.com/files/152364/ImageTragick-ImageMagick-Proof-Of-Concepts.html
- http://rhn.redhat.com/errata/RHSA-2016-0726.html
- http://www.debian.org/security/2016/dsa-3580
- http://www.debian.org/security/2016/dsa-3746
- http://www.openwall.com/lists/oss-security/2016/05/03/13
- http://www.openwall.com/lists/oss-security/2016/05/03/18
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.rapid7.com/db/modules/exploit/unix/fileformat/imagemagick_delegate
- http://www.securityfocus.com/archive/1/538378/100/0/threaded
- http://www.securityfocus.com/bid/89848
- http://www.securitytracker.com/id/1035742
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568
- http://www.ubuntu.com/usn/USN-2990-1
- https://access.redhat.com/security/vulnerabilities/2296071
- https://bugzilla.redhat.com/show_bug.cgi?id=1332492
- https://imagetragick.com/
- https://security.gentoo.org/glsa/201611-21
- https://www.exploit-db.com/exploits/39767/
- https://www.exploit-db.com/exploits/39791/
- https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
- https://www.imagemagick.org/script/changelog.php
- https://www.kb.cert.org/vuls/id/250519
- https://example.com
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1332630
- https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
- https://rhn.redhat.com/errata/RHSA-2016-0726.html
- https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726,
- https://imagemagick.org/archive/releases/;
- https://nvd.nist.gov/vuln/detail/CVE-2016-3714
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-3714
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/author
- agent/severity
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/remedy
- agent/references
- agent/title
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/nvd-cve
- vendor/imagemagick
- canonical/imagemagick imagemagick
- version/imagemagick imagemagick/6.9.3-9
- version/imagemagick imagemagick/7.0.0-0
- version/imagemagick imagemagick/7.0.1-0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/15.10
- version/canonical ubuntu linux/16.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/42.1
- canonical/opensuse opensuse
- version/opensuse opensuse/13.2
- vendor/suse
- canonical/suse suse linux enterprise server
- version/suse suse linux enterprise server/12