[ale] Imagemagick exploit
Lightner, Jeff
JLightner at dsservices.com
Thu May 5 09:15:24 EDT 2016
After I saw that yesterday I looked into it a bit.
ImageMagick's site that has the mitigation is:
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
That says to update /etc/ImageMagick/policy.xml to add the following lines:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
I did that on a RHEL7 system then ran the "convert -list policy" to verify it shows those in policy.
There was another link that had a way to test:
http://serverfault.com/questions/774808/how-to-verify-installation-of- imagemagick-is-not-vulnerable-to-cve-2016-3714<http://serverfault.com/questions/774808/how-to-verify-installation-of-%20imagemagick-is-not-vulnerable-to-cve-2016-3714>
That had a response that said:
Karim Valiev posted information to the oss-security mailing list, showing how to check the local install of ImageMagick to see if it is vulnerable.
a) Create a file called exploit.mvg with the following contents:
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|ls "-la)'
pop graphic-context
b) Then run the convert utility:
$ convert exploit.mvg out.png
c) If you see a local directory listing, your installation of ImageMagick
is not sufficiently protected.
I created that file on atlema03 and ran with and without the updated policy.xml to verify it did the listing without the update but did not with the update.
I went to RedHat's site and they have a link on main access.redhat.com about this:
https://access.redhat.com/security/vulnerabilities/2296071
Title: ImageMagick Filtering Vulnerability - CVE-2016-3714
They provide a check script but all it is really doing is to see if you're running a vulnerable version and all versions are vulnerable since no Errata had been issued yet.
I found that neither RHEL5 nor RHEL6 has /etc/ImageMagick. Instead they appear to rely on /usr/lib64/ImageMagick/config (or X86_64, just /usr/lib/.. if i386). The policy.xml exists in that directory on RHEL6 modifying there solves the issue. However there is no policy.xml on RHEL5 and adding it manually doesn’t help even though RHEL5 does have the issue so it isn’t clear how one would fix it on RHEL5 (except by getting a newer upstream version). Hopefully RedHat is working on updates.
Of course this would all be true for CentOS and other distros based on RHEL.
Jeffrey C. Lightner
Sr. UNIX/Linux Administrator
DS Services of America, Inc.
2300 Windy Ridge Pkwy
Suite 600 N
Atlanta, GA 30339-8461
P: 678-486-3516
C: 678-772-0018
F: 678-460-3603
E: jlightner at dsservices.com
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim Kinney
Sent: Wednesday, May 04, 2016 2:15 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Imagemagick exploit
Nice! Easy!
On Wed, 2016-05-04 at 11:30 -0400, Boris Borisov wrote:
http://www.theregister.co.uk/2016/05/04/imagemagick_exploits_in_the_wild/
_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160505/61365032/attachment.html>
More information about the Ale
mailing list