ImageMagick Security Issue

[fmw42]

My suspicion is that you are still susceptible at 6.2.8 and would need to upgrade to a version that supports policy.xml and then add the new policies. The policies are just a means to restrict use of the offending files that could carry the malicious code.

But I will defer to the IM developers for a more specific answer.

[ditto]

>[..]

Reminder, we have patched the reported exploits in ImageMagick 7.0.1-1 and ImageMagick 6.9.3-10 available sometime tomorrow. You'll still need to add

• <policy domain="path" rights="none" pattern="@*" />

to your policy.xml configuration file to stop any indirect reads (e.g. @somefile).

I have upgraded to ImageMagick 6.9.3-10, but this make me unsure if that is all I need to do to be safe? Or do I need to apply the polycy mentioned above?

I have run the comand mentioned some other place:

Code: Select all

[root@server ~]# identify -list resource
Resource limits:
  Width: 214.7MP
  Height: 214.7MP
  Area: 16.377GP
  Memory: 7.626GiB
  Map: 15.252GiB
  Disk: unlimited
  File: 49151
  Thread: 8
  Throttle: 0
  Time: unlimited
[root@server ~]#

And at the botttom of the file /usr/local/etc/ImageMagick-6/policy.xml have this content:

Code: Select all

<policymap>
  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
  <!-- <policy domain="resource" name="width" value="10MP"/> -->
  <!-- <policy domain="resource" name="height" value="10MP"/> -->
  <!-- <policy domain="resource" name="area" value="1GB"/> -->
  <!-- <policy domain="resource" name="disk" value="16EB"/> -->
  <!-- <policy domain="resource" name="file" value="768"/> -->
  <!-- <policy domain="resource" name="thread" value="4"/> -->
  <!-- <policy domain="resource" name="throttle" value="0"/> -->
  <!-- <policy domain="resource" name="time" value="3600"/> -->
  <!-- <policy domain="system" name="precision" value="6"/> -->
  <policy domain="cache" name="shared-secret" value="passphrase"/>
</policymap>

Does this looks good? Do I need to do anything else then I have already done (I have upgraded to 6.9.3-10)? If so, is the path /usr/local/etc/ImageMagick-6/policy.xml the correct place to edit the policy file?

[frEEk]

>Or do I need to apply the polycy mentioned above?

As I read it, yes you need to do the update AND add that one policy line (as opposed to adding several policy lines with the unpatched version).

>is the path /usr/local/etc/ImageMagick-6/policy.xml the correct place to edit the policy file?

The path depends on the distribution. If you have a policy file at that location then it is almost certainly the right place. You can make sure by adding the new line, then running "convert -list policy" to see if the new policy has been consumed.

[fmw42]

running "convert -list policy"

I believe that he means

Code: Select all

convert -list resource

[mtarkowski]

Hi,

My companies security team has discovered the risk of web site hijacking from using ImageMagick and want me to remove it because of the following article at http://www.theregister.co.uk/2016/05/03/imagemagick.

After checking our WordPress blog site, I see we are not using ImageMagick in binary but are using ImageMagick in .php files. Does the risk of hijacking apply when using ImageMagick in .php files?

If yes, is there a solution?

[fmw42]

I believe so. If you are using PHP exec() calls or Imagick or one of the PHP APIs, they all rely upon Imagemagick and that is where the vulnerabilities reside. However, this has been patched in the current versions of Imagemagick and there are fixes in the policy.xml file that can be added to handle earlier versions. See viewtopic.php?f=4&t=29588

[mtarkowski]

Thank you for the response.

However, there is no policy.xml file in the WordPress sites. Also, none of the ImageMagick commands work (ex: convert -list policy) because it is not installed on the server.

I do see 2 files on the server inside a WordPress plugin; class-wp-image-editor-imagick.php and imagemagick.inc.php

Comments inside the files are :

* WordPress Imagick Image Editor
* @package WordPress
* @subpackage Image_Editor
* WordPress Image Editor Class for Image Manipulation through Imagick PHP Module
* @since 3.5.0
* @package WordPress
* @subpackage Image_Editor
* @uses WP_Image_Editor Extends class



* imagemagick.inc.php
*
* @author Frederic De Ranter
* @copyright Copyright 2008
* @version 0.4 (PHP4)
* @based on thumbnail.inc.php by Ian Selby (gen-x-design.com)
* @since NextGEN V1.0.0


do I need to create a policy.xml file? If yes, any idea where?

[fmw42]

What is your version of Imagemagick and platform?

Code: Select all

convert -version

should tell you that.

If your version is too old, then there is no policy.xml. But that needs to be very ancient.

Code: Select all

convert -list resource 

will list your policy values on more current versions of IM.

[mtarkowski]

When I try the cnvert command I get the following.

# convert -list resource
zsh: command not found: convert

[fmw42]

Are you sure you have imagemagick installed?

Does

convert -version

work?

[mtarkowski]

Here is what I get.

# convert -version
zsh: command not found: convert

[frEEk]

I believe that he means

Code: Select all

convert -list resource

That may work too, but I did mean "policy" as it shows the results of the lines added to the policy file. I used it as a way to confirm the additions had been read correctly.

[frEEk]

# convert -version
zsh: command not found: convert

Sounds to me like you don't use imagemagick. Just because WP has files that mention IM, doesn't mean it is in use, just that it supports it. Your WP installation may use GD or some other image manipulation library. You may get some confirmation by running "phpinfo()" (within a php script) and looking if it indicates imagick being available.

[cpwgem]

The information spread around this issue seems a bit cluttered so I need some clarifications. The vuln reporters have listed the following CVEs

* CVE-2016-3714 - Insufficient shell characters filtering leads to(potentially remote) code execution

Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats.

* CVE-2016-3718 - SSRF

It is possible to make HTTP GET or FTP request

* CVE-2016-3715 - File deletion

It is possible to delete files by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading

* CVE-2016-3716 - File moving

It is possible to move image files to file with any extension in any folder by using ImageMagick's 'msl' pseudo protocol

* CVE-2016-3717 - Local file read

It is possible to get content of the files from the server by using ImageMagick's 'label' pseudo protocol

------------

There appears to be a policy.xml file to disable rights for certain coders. It seems this would address CVE-2016-3715, CVE-2016-3716, and CVE-2016-3717 is this correct?

------------

A previous posting listed two commits, but from what the vuln reporters are saying the current patches are incomplete for addressing the actual issue. Is this what we're waiting over the weekend for? Are those meant to address CVE-2016-3714 and CVE-2016-3718?

-------------

Thank you ahead of time for any and all responses.

[fmw42]

I believe that he means

Code: Select all

convert -list resource

That may work too, but I did mean "policy" as it shows the results of the lines added to the policy file. I used it as a way to confirm the additions had been read correctly.

I have never heard of that command. I get:

Code: Select all

convert -list policy

Path: /usr/local/etc/ImageMagick-6/policy.xml
  Policy: Unrecognized
    rights: None 

Path: [built-in]
  Policy: Undefined
    rights: None