Lucene search
K

ImageMagick Detection

🗓️ 28 May 2009 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 19 Views

ImageMagick Installation Detection and Enumeratio

Refs
Code
##
# (C) Tenable, Inc.
##

include("compat.inc");

if (description)
{
  script_id(38949);
  script_version("1.18");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");

  script_xref(name:"IAVT", value:"0001-T-0636");

  script_name(english:"ImageMagick Detection");
  script_summary(english:"Checks for ImageMagick installs.");

  script_set_attribute(attribute:"synopsis", value:
"An image editing application is installed on the remote Windows host.");
  script_set_attribute(attribute:"description", value:
"ImageMagick is installed on the remote Windows host. ImageMagick is an
application for creating, editing, and composing bitmap images.");
  script_set_attribute(attribute:"see_also", value:"https://www.imagemagick.org/script/index.php");
  script_set_attribute(attribute:"solution", value:
"Check that the use of ImageMagick is in agreement with your
organization's security and acceptable use policies.");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:imagemagick:imagemagick");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_set_attribute(attribute:"asset_inventory_category", value:"software_enumeration");
  script_set_attribute(attribute:"agent", value:"windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}

include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("install_func.inc");
include("spad_log_func.inc");

get_kb_item_or_exit("SMB/Registry/Enumerated");

var app = "ImageMagick";
var path = NULL;
var paths = NULL;
var display_version = FALSE;

var list = get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName");

if (!isnull(list))
{
  foreach var name (keys(list))
  {
    var prod = list[name];

    if (!isnull(prod) && "ImageMagick" >< prod)
    {
      var uninstall_location_kb = name - "/DisplayName" + "/InstallLocation";
      path = get_kb_item(uninstall_location_kb);
      paths[prod] = path;
    }
  }
}

# Bad install might not have the uninstall key
# Check the base key if uninstall was blank
if(isnull(paths))
{
  registry_init();
  var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
  var base_key = "SOFTWARE\\ImageMagick";
  var subkeys = get_registry_subkeys(handle:hklm, key:base_key);

  if (!isnull(subkeys))
  {
    foreach var subkey (subkeys)
    {
      # Are two subkeys at this point. We want to check both.
      var key = base_key + "\\" + subkey;

      path = get_registry_value(handle:hklm, item:key+"\\Q:8\\BinPath");
      if (!isnull(path)) 
        paths['ImageMagick ' + subkey + ' Q:8'] = path;
      
      path = get_registry_value(handle:hklm, item:key+"\\Q:16\\BinPath");
      if (!isnull(path)) 
        paths['ImageMagick ' + subkey + ' Q:16'] = path;
    }
  }
  RegCloseKey(handle:hklm);
  close_registry(close:FALSE);
}
if(isnull(paths)) audit(AUDIT_NOT_INST, app);

foreach prod (keys(paths))
{
  # depending on the version we need to check a different file
  foreach var file (make_list('magick.exe', 'compare.exe', 'display.exe', 'stream.exe'))
  {
    var ret = FALSE;
    var exe = paths[prod] + '\\' + file;
    var fver = hotfix_get_fversion(path:exe);
   
    ret = hotfix_handle_error(error_code:fver['error'], file:exe, appname:app, exit_on_fail:FALSE);
    if(ret)
    {
      spad_log(message:ret);
      continue;
    }

    # Its possible the file version is off
    # Lets check it against the product verison
    var pver = hotfix_get_pversion(path:exe);
    
    ret = hotfix_handle_error(error_code:pver['error'], file:exe, appname:app, exit_on_fail:FALSE);
    if(ret)
    {
      spad_log(message:ret);
      continue;
    }

    # If we got both then we are good.
    if(fver['error'] == 0 && pver['error'] == 0)
      break;
  }

  var full_version = NULL;

  # If we failed to get either versions
  # get it from the DisplayName
  if(fver['error'] != 0 || pver['error'] != 0)
  {
    var matches = NULL;
    matches = pregmatch(pattern:"ImageMagick ([0-9.-]+) ", string:prod);
    if(isnull(matches))
    {
      spad_log(message:'Unable to parse product name \'' + prod + '\'.');
      continue;
    }

    full_version = matches[1];
    display_version = TRUE;
  }
  
  # If the major versions dont match between the
  # file and product version, get the DisplayName version
  else if(fver['value'][0] != substr(pver['value'],0,0))
  {
    matches = NULL;
    matches = pregmatch(pattern:"ImageMagick ([0-9.-]+) ", string:prod);
    if(isnull(matches))
    {
      spad_log(message:'Unable to parse product name \'' + prod + '\'.');
      continue;
    }
    
    full_version = matches[1];
    display_version = TRUE;
  }
  else
  {
    full_version = str_replace(string:join(sep:"-", fver["value"]), find:"-", replace:".", count:2);
  }

  if(!isnull(full_version) && "-" >< full_version)
  {
    # Parse version number. This should never error, but if it does lets continue to the next
    if(isnull(pregmatch(pattern:"([0-9.]+)-([0-9]+)", string:full_version)))
    {
      spad_log(message:'Unable to parse full version \'' + full_version + '\'.');
      continue;
    };

    var port = get_kb_item("SMB/transport");
    if(!port) port = 445;

    var vcf_version = str_replace(string:full_version, find:'-', replace:'.');
    register_install(
      app_name        : app,
      path            : paths[prod],
      vendor          : "ImageMagick",
      product         : "ImageMagick",
      version         : vcf_version,
      display_version : full_version,
      port            : port,
      cpe             : "cpe:/a:imagemagick:imagemagick");
  }
  else if (!isnull(full_version) && display_version) 
  {
    var port = get_kb_item("SMB/transport");
    if(!port) port = 445;

    register_install(
      app_name        : app,
      path            : paths[prod],
      vendor          : "ImageMagick",
      product         : "ImageMagick",
      version         : full_version,
      display_version : full_version,
      port            : port,
      cpe             : "cpe:/a:imagemagick:imagemagick");
  }
}

hotfix_check_fversion_end();

port = get_kb_item("SMB/transport");
if(!port) port = 445;
report_installs(app_name:app, port:port);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Jun 2024 00:00Current
5.5Medium risk
Vulners AI Score5.5
19