Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CABi+pA7xDJhirUFbrVZQkwMnFj--zbNJA8_Aoq-SiJx0QNcsoA@mail.gmail.com>
Date: Tue, 3 May 2016 10:59:12 -0700
From: Ryan Huber <rhuber@...il.com>
To: oss-security@...ts.openwall.com
Subject: ImageMagick Is On Fire -- CVE-2016-3714

There are multiple vulnerabilities in ImageMagick, a package commonly
used by web services to process images. One of the vulnerabilities can
lead to remote code execution (RCE) if you process user submitted
images. The exploit for this vulnerability is being used in the wild.

A number of image processing plugins depend on the ImageMagick
library, including, but not limited to, PHP's imagick, Ruby's rmagick
and paperclip, and nodejs's imagemagick.

If you use ImageMagick or an affected library, we recommend you
mitigate the known vulnerabilities by doing at least one these two
things (but preferably both!):

1. Verify that all image files begin with the expected "magic bytes"
corresponding to the image file types you support before sending them
to ImageMagick for processing. (see FAQ for more info)

2. Use a policy file to disable the vulnerable ImageMagick coders. The
global policy for ImageMagick is usually found in "/etc/ImageMagick".
This policy.xml example will disable the coders EPHEMERAL, URL, MVG,
and MSL.

Github Gist showing an example policy file:
https://gist.github.com/rawdigits/d73312d21c8584590783a5e07e124723

FAQ

Who found this bug?

Stewie (https://hackerone.com/stewie) found the initial bug, and
Nikolay Ermishkin (https://twitter.com/__sl1m) from the Mail.Ru
Security Team found additional issues, including the RCE.

Will you share the exploit with me?

No. We would like to give people a chance to patch before it is more
widely available. The exploit is trivial, so we expect it to be
available within hours of this post. Updates and PoC will eventually
be available here.

Are patches available?

Yes, but they appear to be incomplete. Everyone would have preferred
to wait for patches before disclosing, but working exploits are
readily available.

What are "magic bytes"?

The first few bytes of a file can often used to identify the type of
file. Some examples are GIF images, which start with the hex bytes "47
49 46 38", and JPEG images, which start with "FF D8". This list on
Wikipedia has the magic bytes for most common file types.

Why are you disclosing a vulnerability like this?

We have collectively determined that these vulnerabilities are
available to individuals other than the person(s) who discovered them.
An unknowable number of people having access to these vulnerabilities
makes this a critical issue for everyone using this software.
ImageMagick also disclosed this on their forum a few hours ago.

How well-tested are these mitigations?

They are effective against all of the exploit samples we've seen, but
we cannot guarantee they will eliminate all vectors of attack.

Are there other ways to mitigate?

Sandboxing ImageMagick is worth investigating, but we are not
providing specific instructions for doing this.

What else should I know?

We did not find this vulnerability ourselves. We understand the
mechanisms involved, but credit for finding this vulnerability should
go to the researcher(s).

Vulnerabilities need names! What is its name??!?

If you must, we've been calling it "ImageTragick".

How can I contact you?

imagetragick@...il.com


-- 
Ryan Huber
rhuber@...il.com
@ryanhuber
https://github.com/rawdigits
+1 (312) 380 6136

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.