CVE-2016-3714

CVSS 8.4 HIGHEPSS 97.5%● KEVCWE-20

In short

ImageMagick, an image processing tool, fails to properly validate image file names and formats, allowing attackers to inject shell commands that execute as the user running the application. This is dangerous because an attacker can trick someone into processing a specially crafted image to gain control of the system.

Technical detail

Multiple ImageMagick coders (EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, PLT) improperly sanitize image filenames and delegate command parameters, allowing shell metacharacter injection via crafted images. An attacker can exploit this through remote image processing requests to achieve arbitrary code execution with the privileges of the ImageMagick process.

Summary generated and translated by AI from the official description.

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 11

githubgithub.com/Hood3dRob1n/CVE-2016-3714★ 69 githubgithub.com/jpeanut/ImageTragick-CVE-2016-3714-RShell★ 18 githubgithub.com/JoshMorrison99/CVE-2016-3714★ 1 githubgithub.com/chusiang/CVE-2016-3714.ansible.role★ 1 githubgithub.com/jackdpeterson/imagick_secure_puppet★ 0 githubgithub.com/tommiionfire/CVE-2016-3714★ 0 exploitdbwww.exploit-db.com/exploits/39791unverified cve_referencewww.exploit-db.com/exploits/39767/unverified cve_referencewww.exploit-db.com/exploits/39791/unverified exploitdbwww.exploit-db.com/exploits/39767unverified cve_referencepacketstormsecurity.com/files/152364/ImageTragick-ImageMagick-Proof-Of-Concepts.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html http://packetstormsecurity.com/files/152364/ImageTragick-ImageMagick-Proof-Of-Concepts.html http://rhn.redhat.com/errata/RHSA-2016-0726.html https://access.redhat.com/security/vulnerabilities/2296071 https://bugzilla.redhat.com/show_bug.cgi?id=1332492 https://imagetragick.com/