ImageMagick does not properly validate input before processing images using a delegate

Overview

ImageMagick does not properly validate user input before processing it using a delegate, which may lead to arbitrary code execution. This issue is also known as “ImageTragick”.

Description

CWE-20**: Improper Input Validation -**CVE-2016-3714

According to the researchers in a mailing list post:

Insufficient filtering for filename passed to delegate’s command allows remote code execution during conversion of several file formats.

ImageMagick allows to process files with external libraries. This feature is called ‘delegate’. It is implemented as a system() with command string (‘command’) from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection.

By causing a system to process an image with ImageMagick, an attacker may be able to execute arbitrary commands on a vulnerable system. A common vulnerable configuration would be a web server that allows image uploads that are subsequently processed with ImageMagick.

Exploit code for this vulnerability is publicly available, and according to the ImageTragick website, this vulnerability is already being exploited in the wild.

---

Impact

An unauthenticated remote attacker that can upload crafted image files may be able to execute arbitrary code in the context of the user calling ImageMagick.

---

Solution

Apply an Update

ImageMagick version 6.9.3-10 and 7.0.1-1 have been released to address these issues. Affected users should update to the latest version of ImageMagick as soon as possible.

However, affected users may also apply the following mitigations:

---

Verify Files and Disable Vulnerable Filters

The researchers suggest that this vulnerability may be mitigated by doing the following:

1. Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing.
2. Use a policy file to disable the vulnerable ImageMagick coders.

For more details, please see <https://imagetragick.com/&gt;

---

Vendor Information

250519

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Arch Linux Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CentOS Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ImageMagick Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

openSUSE project Affected

Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 12 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal	7.3	E:POC/RL:OF/RC:C
Environmental	7.3	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

• <https://imagetragick.com/&gt;
• https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
• <http://www.openwall.com/lists/oss-security/2016/05/03/18&gt;

Acknowledgements

The ImageTragick website credits Stewie and Nikolay Ermishkin of the Mail.Ru Security Team for discovering these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2016-3714
Date Public:	2016-05-03 Date First Published: