FYI: ImageMagick Exploit

Questions and postings pertaining to the usage of ImageMagick regardless of the interface. This includes the command-line utilities, as well as the C and C++ APIs. Usage questions are like "How do I use ImageMagick to create drop shadows?".
Post Reply
newser
Posts: 1
Joined: 2018-08-21T08:12:17-07:00
Authentication code: 1152

FYI: ImageMagick Exploit

Post by newser »

TL;DR: I *strongly* suggest that distributions start disabling PS, EPS, PDF
and XPS coders in policy.xml by default.

$ convert input.jpg output.gif
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
http://openwall.com/lists/oss-security/2018/08/21/2

EDIT: Workaround here https://twitter.com/drezil1985/status/1 ... 1336469504
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: FYI: ImageMagick Exploit

Post by magick »

ImageMagick best practices strongly encourages you to configure a security policy that suits your local environment. See https://www.imagemagick.org/script/security-policy.php for a detailed discussion. Relevant to this potential exploit in Ghostscript, you can restrict ImageMagick to only web-safe image formats with these policies:

Code: Select all

<policy domain="delegate" rights="none" pattern="*" />
<policy domain="coder" rights="none" pattern="*" />
<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
If you just want to disable Ghostscript, use this policy:

Code: Select all

<policy domain="coder" rights="none" pattern="{EPS,PS2,PS3,PS,PDF,XPS}" />
Imaging
Posts: 7
Joined: 2018-08-21T12:16:47-07:00
Authentication code: 1152

Re: FYI: ImageMagick Exploit

Post by Imaging »

One additional note if just the GS related coders are disabled: It appears that PS2 and PS3 coders need to be disabled as well per:

https://www.kb.cert.org/vuls/id/332928
Post Reply