[ale] Imagemagick exploit

Lightner, Jeff JLightner at dsservices.com
Thu May 5 09:15:24 EDT 2016 

After I saw that yesterday I looked into it a bit.

ImageMagick's site that has the mitigation is:
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

That says to update /etc/ImageMagick/policy.xml to add the following  lines:
      <policy domain="coder" rights="none" pattern="EPHEMERAL" />
      <policy domain="coder" rights="none" pattern="HTTPS" />
      <policy domain="coder" rights="none" pattern="MVG" />
      <policy domain="coder" rights="none" pattern="MSL" />

I did that on a RHEL7 system then ran the "convert -list policy"  to verify it shows those in policy.

There was another link that had a way to test:
http://serverfault.com/questions/774808/how-to-verify-installation-of- imagemagick-is-not-vulnerable-to-cve-2016-3714<http://serverfault.com/questions/774808/how-to-verify-installation-of-%20imagemagick-is-not-vulnerable-to-cve-2016-3714>

That had a response that said:
Karim Valiev posted information to the oss-security mailing list, showing how to check the local install of ImageMagick to see if it is vulnerable.
a) Create a file called exploit.mvg with the following contents:
           push graphic-context
           viewbox 0 0 640 480
           fill 'url(https://example.com/image.jpg"|ls "-la)'
           pop graphic-context
b) Then run the convert utility:
           $ convert exploit.mvg out.png
c) If you see a local directory listing, your installation of ImageMagick
         is not sufficiently protected.

I created that file on atlema03 and ran with and without the updated policy.xml to verify it did the listing without the update but did not with the update.

I went to RedHat's site and they have a link on main access.redhat.com about this:
https://access.redhat.com/security/vulnerabilities/2296071

Title:   ImageMagick Filtering Vulnerability - CVE-2016-3714
They provide a check script but all it is really doing is to see if  you're running a vulnerable version and all versions are vulnerable since no Errata had been issued yet.

I found that neither RHEL5 nor RHEL6 has /etc/ImageMagick.   Instead they appear to rely on /usr/lib64/ImageMagick/config (or X86_64,  just /usr/lib/.. if i386).   The policy.xml exists in that directory on RHEL6 modifying there solves the issue.   However there is no policy.xml on RHEL5 and adding it manually doesn’t help even though RHEL5 does have the issue so it isn’t clear how one would fix it on RHEL5 (except by getting a newer upstream version).   Hopefully RedHat is working on updates.

Of course this would all be true for CentOS and other distros based on RHEL.

Jeffrey C. Lightner
Sr. UNIX/Linux Administrator

DS Services of America, Inc.
2300 Windy Ridge Pkwy
Suite 600 N
Atlanta, GA  30339-8461

P: 678-486-3516
C: 678-772-0018
F: 678-460-3603
E: jlightner at dsservices.com

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim Kinney
Sent: Wednesday, May 04, 2016 2:15 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Imagemagick exploit

Nice! Easy!

On Wed, 2016-05-04 at 11:30 -0400, Boris Borisov wrote:

http://www.theregister.co.uk/2016/05/04/imagemagick_exploits_in_the_wild/

_______________________________________________

Ale mailing list

Ale at ale.org<mailto:Ale at ale.org>

http://mail.ale.org/mailman/listinfo/ale

See JOBS, ANNOUNCE and SCHOOLS lists at

http://mail.ale.org/mailman/listinfo

--

James P. Kinney III



Every time you stop a school, you will have to build a jail. What you

gain at one end you lose at the other. It's like feeding a dog on his

own tail. It won't fatten the dog.

- Speech 11/23/1900 Mark Twain



http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160505/61365032/attachment.html>

More information about the Ale mailing list