Home / server / Questions / 774808
In Process
ChrisInEdmonton
Asked: 2016-05-05 05:54:48 +0800 CST

How to verify installation of ImageMagick is not vulnerable to CVE-2016-3714

  • 772

CVE-2016-3714 was announced on May 3, 2016. This vulnerability unfortunately goes by the name, ImageTragick and has received some press (for example, this ArsTechnica article).

Until updated ImageMagick packages are released in the near future, we need a workaround. The workaround is fairly straight-forward. Simply use a policy file to disable the vulnerable coders. The policy file must look something like this:

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

If a sysadmin has installed the policy.xml file shown above, how would they go about independently confirming that the installation of ImageMagick is no longer vulnerable?

security imagemagick

1 Answers

  1. Karim Valiev posted information to the oss-security mailing list, showing how to check the local install of ImageMagick to see if it is vulnerable.

    Create a file called exploit.mvg with the following contents:

    push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|ls "-la)'
pop graphic-context

    Then run the convert utility:

    $ convert exploit.mvg out.png

    If you see a local directory listing, your installation of ImageMagick is not sufficiently protected.

    • 2