Imagemagick popen() shell vulnerability via filename

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
Post Reply
Ganesha
Posts: 23
Joined: 2014-05-20T06:40:01-07:00
Authentication code: 6789

Imagemagick popen() shell vulnerability via filename

Post by Ganesha » 2016-05-31T00:34:21-07:00


snibgo
Posts: 12145
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Imagemagick popen() shell vulnerability via filename

Post by snibgo » 2016-05-31T01:51:35-07:00

Code: Select all

convert '|echo Hello > hello.txt;' null:
Vulnerability confirmed on IM v6.9.2-5, pre-built binary, on Windows 8.1.
snibgo's IM pages: im.snibgo.com

Ganesha
Posts: 23
Joined: 2014-05-20T06:40:01-07:00
Authentication code: 6789

Re: Imagemagick popen() shell vulnerability via filename

Post by Ganesha » 2016-05-31T02:09:02-07:00

snibgo wrote:

Code: Select all

convert '|echo Hello > hello.txt;' null:
Vulnerability confirmed on IM v6.9.2-5, pre-built binary, on Windows 8.1.

Vulnerability also persists even in latest version ImageMagick 7.0.1-2

snibgo
Posts: 12145
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Imagemagick popen() shell vulnerability via filename

Post by snibgo » 2016-05-31T02:38:02-07:00

The current v7 is v7.0.1-7. If the developers weren't aware of this problem, I imagine it is pervasive through many versions,
snibgo's IM pages: im.snibgo.com

User avatar
magick
Site Admin
Posts: 11062
Joined: 2003-05-31T11:32:55-07:00

Re: Imagemagick popen() shell vulnerability via filename

Post by magick » 2016-05-31T03:51:42-07:00

Download ImageMagick 6.9.4-5 or 7.0.1-7 and add
  • <policy domain="path" rights="none" pattern="|*" />
to your policy.xml configuration file. Now try your command:
  • # convert '|echo Hello > hello.txt;' null:
    convert: not authorized `|echo Hello > hello.txt;' @ error/blob.c/OpenBlob/2451.
    convert: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/508.
    convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3235.
Don't have these releases? Grab the ImageMagick source and comment out
  • #define MAGICKCORE_HAVE_POPEN 1
in magick-baseconfig.h and rebuild / reinstall ImageMagick. See https://www.imagemagick.org/discourse-s ... =4&t=26801 for details concerning the ImageMagick security policy.

Bonzo
Posts: 2971
Joined: 2006-05-20T08:08:19-07:00
Location: Cambridge, England

Re: Imagemagick popen() shell vulnerability via filename

Post by Bonzo » 2016-05-31T03:58:10-07:00

So just to confirm the vulnerability is if the filename starts with a | e.g. |input.jpg

I assume the problem is if there is then code between the | and the filename that will be run before the file extension is reached. |echo Hello > hello.txt;

There is no problem if the filename is changed before it reaches IM?

Post Reply