CVE-2 0 1 6-3 7 1 4 - ImageMagick command to perform the analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201674516
Type myhack58
Reporter 佚名
Modified 2016-05-07T00:00:00


ImageMagick is a usage of a very wide image processing program, many manufacturers are calling this a program for image processing, including image scaling, cutting, watermarking, format conversion and more. But recently researchers have found that, when the user of the incoming contains a"deformity of the content"of the picture, it is possible to trigger the command injection vulnerability. Foreign security personnel, this created a new website:, have to say, some aliens Barbarian will play. Relative to the previous number with the"home"of the vulnerability, this hole does not like, is really a can be the use of the well hole, the dark clouds of the main station also broke a number of is the vulnerability of the major providers. We start to analyze what it appears reasons. 0x01 principle analysis With this vulnerability related to CVE a CVE-2 0 1 6-3 7 1 4, THE CVE-2 0 1 6-3 7 1 5, CVE-2 0 1 6-3 7 1 6, THE CVE-2 0 1 6-3 7 1 7, in which the most serious is CVE-2 0 1 6-3 7 1 4, make use of this vulnerability can result in remote command execution hazards. ImageMagick has a feature called delegate(entrusted), the role is calling the external lib to handle files. And call an external lib is the process of using the system The system command to execute the ) We have in the ImageMagick in the default configuration file where you can see all of the delegate: /etc/ImageMagick/delegates.xml xml version="1.0" encoding="UTF-8"?& gt; ]> Delegate command file.

Commands which specify

decode="in_format" encode="out_format"

specify the rules for converting from in_format to out_format These rules may be used to translate directly between formats.

Commands which specify only


specify the rules for converting from in_format to some format that ImageMagick will automatically recognize. These rules are used to decode formats.

Commands which specify only


specify the rules for an "encoder" which may accept any input format.

For delegates other than ps:, pcl:, and mpeg:* the substitution rules are as follows:

the %i input image filename %o output image filename %u unique temporary filename %Z unique temporary filename %# input image signature %b image file size %c input image comment %g image geometry %h image rows (height) %k input image number colors %l image label %m input image format %p page number %q input image depth %s scene number %w image columns (width) %x input image x resolution %y input image y resolution

Set option delegate:bimodal=true to process bimodal delegates otherwise they are ignored.

If stealth="True" the delegate is not listed in user requested "-list delegate" listings. These are typically special internal delegates.

If spawn="True" ImageMagick will not way for the delegate to finish, nor will it read any output image. It will only wait for either the input file to be removed (See "ephemeral:" coder) indicating that the input file has been read, or a maximum time limit of 2 seconds. --> delegatemap> delegate decode="autotrace" stealth="True" command=""convert" "%i" "pnm:%u"\n"autotrace" -input-format pnm-output-format svg-output-file "%o" "%u""/> delegate decode="blender" command=""blender" -b "%i" -F PNG-o "%o""\n"convert" -concatenate "%o*. png" "%o""/> delegate decode="browse" stealth="True" spawn="True" command=""xdg-open"; rm "%i""/> delegate decode="cdr" command=""uniconvertor" "%i" "%o. svg"; mv "%o. svg" "%o""/> delegate decode="cgm" thread-support="False" command=""ralcgm" -d ps-oC "%o" 2> "%Z""/> delegate decode="dvi" command=""dvips" -q-o "%o" "%i""/> delegate decode="dng:decode" command=""ufraw-batch" --silent --create-id=also --out-type=png --out-depth=1 6 "--output=%u. png" "%i""/> delegate decode="dot" command='"dot" -Tsvg "%i" -o "%o"' />

[1] [2] [3] [4] next