3

CVE-2016-3714 was announced on May 3, 2016. This vulnerability unfortunately goes by the name, ImageTragick and has received some press (for example, this ArsTechnica article).

Until updated ImageMagick packages are released in the near future, we need a workaround. The workaround is fairly straight-forward. Simply use a policy file to disable the vulnerable coders. The policy file must look something like this:

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

If a sysadmin has installed the policy.xml file shown above, how would they go about independently confirming that the installation of ImageMagick is no longer vulnerable?

ChrisInEdmonton
  • 161
  • 4
  • It was not clear if I should ask here or on http://security.stackexchange.com/, but I believe this falls more into the realm of system administration than information security. I may be mistaken. – ChrisInEdmonton May 04 '16 at 13:55

1 Answers1

2

Karim Valiev posted information to the oss-security mailing list, showing how to check the local install of ImageMagick to see if it is vulnerable.

Create a file called exploit.mvg with the following contents:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|ls "-la)'
pop graphic-context

Then run the convert utility:

$ convert exploit.mvg out.png

If you see a local directory listing, your installation of ImageMagick is not sufficiently protected.

ChrisInEdmonton
  • 161
  • 4