ImageMagick Remote Code Execution Vulnerability (CVE-2016-3714)

Summary

    On Tuesday, May 3 2016, ImageMagick announced a zero-day vulnerability (CVE-2016-3714) in the ImageMagick software. The attacker can exploit the vulnerability to execute arbitrary code remotely, intercept important information and take over the servers eventually.

    ImageMagick is a powerful, robust and open-source software(similar to gd), and can read and write almost any type of image files. ImageMagick pictures can even processed by some web services to achieve slim, sharpen and rotate effects.

    If a user has uploaded a image with malicious code, this vulnerability allows the attacker to execute arbitrary code or instructions to manipulate the server when user is processing that image.

    ImageMagick uses system() to process HTTPS request while parsing image through ReadImage function of MagickCore/constitute.c, without filtering the shell parameter passed by the user. That is how the vulnerability comes.

    The vulnerability exists in all versions earlier than ImageMagick 6.9.3-9, including the ImageMagick installed on Ubuntu. For the ImageMagick 6.9.3-9 version, this vulnerability is not fixed completely. 

Detection

Detection Tool: Imagemagick.sh

Detection Method: Run "bash imagmagick.sh" in linux, It will show "vulnerable" or "not vulnerable".

Solution

1 Change the configuration file to disable ImageMagick, by adding the following code to the file /etc/ImageMagick/policy.xml

blob.png

2 Users of NGAF please update IPS rules to defense attacks of this Vulnerability.