ImageMagick Security Issue

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick Security Issue

Post by fmw42 »

My suspicion is that you are still susceptible at 6.2.8 and would need to upgrade to a version that supports policy.xml and then add the new policies. The policies are just a means to restrict use of the offending files that could carry the malicious code.

But I will defer to the IM developers for a more specific answer.
ditto
Posts: 27
Joined: 2012-10-12T10:23:43-07:00
Authentication code: 67789

Re: ImageMagick Security Issue

Post by ditto »

magick wrote:>[..]

Reminder, we have patched the reported exploits in ImageMagick 7.0.1-1 and ImageMagick 6.9.3-10 available sometime tomorrow. You'll still need to add
  • <policy domain="path" rights="none" pattern="@*" />
to your policy.xml configuration file to stop any indirect reads (e.g. @somefile).
I have upgraded to ImageMagick 6.9.3-10, but this make me unsure if that is all I need to do to be safe? Or do I need to apply the polycy mentioned above?

I have run the comand mentioned some other place:

Code: Select all

[root@server ~]# identify -list resource
Resource limits:
  Width: 214.7MP
  Height: 214.7MP
  Area: 16.377GP
  Memory: 7.626GiB
  Map: 15.252GiB
  Disk: unlimited
  File: 49151
  Thread: 8
  Throttle: 0
  Time: unlimited
[root@server ~]#
And at the botttom of the file /usr/local/etc/ImageMagick-6/policy.xml have this content:

Code: Select all

<policymap>
  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
  <!-- <policy domain="resource" name="width" value="10MP"/> -->
  <!-- <policy domain="resource" name="height" value="10MP"/> -->
  <!-- <policy domain="resource" name="area" value="1GB"/> -->
  <!-- <policy domain="resource" name="disk" value="16EB"/> -->
  <!-- <policy domain="resource" name="file" value="768"/> -->
  <!-- <policy domain="resource" name="thread" value="4"/> -->
  <!-- <policy domain="resource" name="throttle" value="0"/> -->
  <!-- <policy domain="resource" name="time" value="3600"/> -->
  <!-- <policy domain="system" name="precision" value="6"/> -->
  <policy domain="cache" name="shared-secret" value="passphrase"/>
</policymap>
Does this looks good? Do I need to do anything else then I have already done (I have upgraded to 6.9.3-10)? If so, is the path /usr/local/etc/ImageMagick-6/policy.xml the correct place to edit the policy file?
frEEk
Posts: 8
Joined: 2016-05-04T18:14:10-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by frEEk »

>Or do I need to apply the polycy mentioned above?

As I read it, yes you need to do the update AND add that one policy line (as opposed to adding several policy lines with the unpatched version).

>is the path /usr/local/etc/ImageMagick-6/policy.xml the correct place to edit the policy file?

The path depends on the distribution. If you have a policy file at that location then it is almost certainly the right place. You can make sure by adding the new line, then running "convert -list policy" to see if the new policy has been consumed.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick Security Issue

Post by fmw42 »

running "convert -list policy"
I believe that he means

Code: Select all

convert -list resource
mtarkowski
Posts: 4
Joined: 2016-05-05T10:22:50-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by mtarkowski »

Hi,

My companies security team has discovered the risk of web site hijacking from using ImageMagick and want me to remove it because of the following article at http://www.theregister.co.uk/2016/05/03/imagemagick.

After checking our WordPress blog site, I see we are not using ImageMagick in binary but are using ImageMagick in .php files. Does the risk of hijacking apply when using ImageMagick in .php files?

If yes, is there a solution?
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick Security Issue

Post by fmw42 »

I believe so. If you are using PHP exec() calls or Imagick or one of the PHP APIs, they all rely upon Imagemagick and that is where the vulnerabilities reside. However, this has been patched in the current versions of Imagemagick and there are fixes in the policy.xml file that can be added to handle earlier versions. See viewtopic.php?f=4&t=29588
mtarkowski
Posts: 4
Joined: 2016-05-05T10:22:50-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by mtarkowski »

Thank you for the response.

However, there is no policy.xml file in the WordPress sites. Also, none of the ImageMagick commands work (ex: convert -list policy) because it is not installed on the server.

I do see 2 files on the server inside a WordPress plugin; class-wp-image-editor-imagick.php and imagemagick.inc.php

Comments inside the files are :

* WordPress Imagick Image Editor
* @package WordPress
* @subpackage Image_Editor
* WordPress Image Editor Class for Image Manipulation through Imagick PHP Module
* @since 3.5.0
* @package WordPress
* @subpackage Image_Editor
* @uses WP_Image_Editor Extends class



* imagemagick.inc.php
*
* @author Frederic De Ranter
* @copyright Copyright 2008
* @version 0.4 (PHP4)
* @based on thumbnail.inc.php by Ian Selby (gen-x-design.com)
* @since NextGEN V1.0.0


do I need to create a policy.xml file? If yes, any idea where?
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick Security Issue

Post by fmw42 »

What is your version of Imagemagick and platform?

Code: Select all

convert -version
should tell you that.

If your version is too old, then there is no policy.xml. But that needs to be very ancient.

Code: Select all

convert -list resource 
will list your policy values on more current versions of IM.
mtarkowski
Posts: 4
Joined: 2016-05-05T10:22:50-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by mtarkowski »

When I try the cnvert command I get the following.

# convert -list resource
zsh: command not found: convert
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick Security Issue

Post by fmw42 »

Are you sure you have imagemagick installed?

Does

convert -version

work?
mtarkowski
Posts: 4
Joined: 2016-05-05T10:22:50-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by mtarkowski »

Here is what I get.

# convert -version
zsh: command not found: convert
frEEk
Posts: 8
Joined: 2016-05-04T18:14:10-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by frEEk »

fmw42 wrote:I believe that he means

Code: Select all

convert -list resource
That may work too, but I did mean "policy" as it shows the results of the lines added to the policy file. I used it as a way to confirm the additions had been read correctly.
frEEk
Posts: 8
Joined: 2016-05-04T18:14:10-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by frEEk »

mtarkowski wrote:# convert -version
zsh: command not found: convert
Sounds to me like you don't use imagemagick. Just because WP has files that mention IM, doesn't mean it is in use, just that it supports it. Your WP installation may use GD or some other image manipulation library. You may get some confirmation by running "phpinfo()" (within a php script) and looking if it indicates imagick being available.
cpwgem
Posts: 1
Joined: 2016-05-05T13:47:52-07:00
Authentication code: 1151

Re: ImageMagick Security Issue

Post by cpwgem »

The information spread around this issue seems a bit cluttered so I need some clarifications. The vuln reporters have listed the following CVEs

* CVE-2016-3714 - Insufficient shell characters filtering leads to(potentially remote) code execution
Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats.
* CVE-2016-3718 - SSRF
It is possible to make HTTP GET or FTP request
* CVE-2016-3715 - File deletion
It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading
* CVE-2016-3716 - File moving
It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol
* CVE-2016-3717 - Local file read
It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol
------------

There appears to be a policy.xml file to disable rights for certain coders. It seems this would address CVE-2016-3715, CVE-2016-3716, and CVE-2016-3717 is this correct?

------------

A previous posting listed two commits, but from what the vuln reporters are saying the current patches are incomplete for addressing the actual issue. Is this what we're waiting over the weekend for? Are those meant to address CVE-2016-3714 and CVE-2016-3718?

-------------

Thank you ahead of time for any and all responses.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: ImageMagick Security Issue

Post by fmw42 »

frEEk wrote:
fmw42 wrote:I believe that he means

Code: Select all

convert -list resource
That may work too, but I did mean "policy" as it shows the results of the lines added to the policy file. I used it as a way to confirm the additions had been read correctly.
I have never heard of that command. I get:

Code: Select all

convert -list policy

Path: /usr/local/etc/ImageMagick-6/policy.xml
  Policy: Unrecognized
    rights: None 

Path: [built-in]
  Policy: Undefined
    rights: None 
Post Reply