Imagemagick popen() shell vulnerability via filename

[Ganesha]

http://permalink.gmane.org/gmane.comp.s ... eral/19669

[snibgo]

Code: Select all

convert '|echo Hello > hello.txt;' null:

Vulnerability confirmed on IM v6.9.2-5, pre-built binary, on Windows 8.1.

[Ganesha]

Code: Select all

convert '|echo Hello > hello.txt;' null:

Vulnerability confirmed on IM v6.9.2-5, pre-built binary, on Windows 8.1.

Vulnerability also persists even in latest version ImageMagick 7.0.1-2

[snibgo]

The current v7 is v7.0.1-7. If the developers weren't aware of this problem, I imagine it is pervasive through many versions,

[magick]

Download ImageMagick 6.9.4-5 or 7.0.1-7 and add

• <policy domain="path" rights="none" pattern="|*" />

to your policy.xml configuration file. Now try your command:

• # convert '|echo Hello > hello.txt;' null:
  convert: not authorized `|echo Hello > hello.txt;' @ error/blob.c/OpenBlob/2451.
  convert: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/508.
  convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3235.

Don't have these releases? Grab the ImageMagick source and comment out

• #define MAGICKCORE_HAVE_POPEN 1

in magick-baseconfig.h and rebuild / reinstall ImageMagick. See https://www.imagemagick.org/discourse-s ... =4&t=26801 for details concerning the ImageMagick security policy.

[Bonzo]

So just to confirm the vulnerability is if the filename starts with a | e.g. |input.jpg

I assume the problem is if there is then code between the | and the filename that will be run before the file extension is reached. |echo Hello > hello.txt;

There is no problem if the filename is changed before it reaches IM?