


00 Foreword
What is ImageMagick?
ImageMagick is a powerful open source graphics processing software that can be used to read, write and process more than 90 kinds of image files, including popular JPEG, GIF, PNG, PDF and PhotoCD formats. Use it to process pictures with various special effects such as cutting, rotating, and combining them.
Due to its powerful functions, good performance, and extended support for many languages, it is widely used in program development. Many website developers like to use ImageMagick extensions to do image processing work on the web, such as user avatar generation, image editing, etc.
01 Vulnerability Description
ImageMagick is an open source image processing library that supports multiple languages such as PHP, Ruby, NodeJS and Python, and is widely used. Several image processing plug-ins, including PHP imagick, Ruby rmagick and paperclip, and NodeJS imagemagick, all rely on it to run. When an attacker constructs an image containing malicious code, the ImageMagick library improperly handles HTTPPS files and does not perform any filtering. It can remotely execute remote commands and possibly control the server.
02 Impact
Attack cost: low
Hazard level: High
Affected scope: All versions before ImageMagick 6.9.3-9
03 Vulnerability Analysis
The command execution vulnerability occurs in the process of ImageMagick processing files in https format.
The reason why ImageMagick supports so many file formats is because it has a lot of built-in image processing libraries. For these image processing libraries, ImageMagick named it "Delegate" (delegate), and each Delegate corresponds to one format file, and then call the external lib for processing through the system's system() command. The process of calling external lib is executed using the system's system command, resulting in the code executing the command.
Default configuration file for ImageMagick delegates: /etc/ImageMagick/delegates.xml
For specific code, please refer to: Github-ImageMagick
We locate the https delegation line:
" <delegate decode=\"https\" command=\""wget" -q -O "%o" "https:%M"\"/>"
As you can see, command defines the command that is brought into the system() function when processing https files: "wget" -q -O "%o" "https:%M".
wget is a command to download files from the network, %M is a placeholder, it must be specifically defined in the configuration file as follows:
%i input image filename %o output image filename %u unique temporary filename %Z unique temporary filename %# input image signature %b image file size %c input image comment %g image geometry %h image rows (height) %k input image number colors %l image label %m input image format %p page number %q input image depth %s scene number %w image columns (width) %x input image x resolution %y input image y resolution
You can see that %m is defined as the input image format, which is the url address we entered. However, since we only did simple string splicing without any filtering and directly spliced it into the command command, we can close the quotation marks and bring them into other commands through "|", "`", "&", etc., that is Command injection is formed.
For example, we pass in the following code:
https://test.com"|ls “-al
Then the actual command executed by the system function is:
“wget” -q -O “%o” “ https://test.com"|ls “-al”
In this way, the ls -al command is successfully executed.
04 Exploit
The POC of this vulnerability was given by a foreigner, as follows:
push graphic-context viewbox 0 0 640 480 fill 'url(https://"|id; ")' pop graphic-context
push and pop are used for stack operations, one is pushed into the stack and the other is popped out of the stack;
Viewbox represents the size of the visible area of SVG, or it can be imagined as the stage size or canvas size. The simple understanding is to select a part of the screen according to the following parameters;
fill url() fills the image into the current element;
In it, we use fill url() to call the vulnerable https delegate. When ImageMagick processes this file, the vulnerability will be triggered.
Attachment: ImageMagick supports an image format by default, called mvg, and mvg is similar to the svg format, in which the content of the vector image is written in text form, allowing other delegates in ImageMagick to be loaded (such as the vulnerable https delegate) . And during the graphics processing process, ImageMagick will automatically process it according to its content, which means that we can arbitrarily define the file as png, jpg and other formats allowed for website upload, which greatly increases the exploitable scenarios of the vulnerability.
Usage process:
Create an exploit.png file with the following content:
push graphic-context viewbox 0 0 640 480 fill 'url(https://test.com/image.jpg"|ls "-al)' pop graphic-context
Execute command: convert exploit.png 1.png (the following are the parameters of convert)
05 bug fix
Upgrade to the latest version
Configure /etc/ImageMagick/policy.xml to disable https, mvg delegates, or delete the corresponding delegates directly in the configuration file
<policymap> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> </policymap>
The above is the knowledge about ImageMagick command execution vulnerabilities introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank you all for your support of the Script House website!

不到一分钟、不超过20步,任意绕过安全限制,成功越狱大型模型!而且不必知道模型内部细节——只需要两个黑盒模型互动,就能让AI全自动攻陷AI,说出危险内容。听说曾经红极一时的“奶奶漏洞”已经被修复了:如今,面对“侦探漏洞”、“冒险家漏洞”和“作家漏洞”,人工智能应该采取何种应对策略呢?一波猛攻下来,GPT-4也遭不住,直接说出要给供水系统投毒只要……这样那样。关键这只是宾夕法尼亚大学研究团队晒出的一小波漏洞,而用上他们最新开发的算法,AI可以自动生成各种攻击提示。研究人员表示,这种方法相比于现有的

在Web应用程序的开发中,文件上传功能已经成为了基本的需求。这个功能允许用户向服务器上传自己的文件,然后在服务器上进行存储或处理。然而,这个功能也使得开发者更需要注意一个安全漏洞:文件上传漏洞。攻击者可以通过上传恶意文件来攻击服务器,从而导致服务器遭受不同程度的破坏。PHP语言作为广泛应用于Web开发中的语言之一,文件上传漏洞也是常见的安全问题之一。本文将介

Java中的缓冲区溢出漏洞及其危害缓冲区溢出是指当我们向一个缓冲区写入超过其容量的数据时,会导致数据溢出到其他内存区域。这种溢出行为常常被黑客利用,可以导致代码执行异常、系统崩溃等严重后果。本文将介绍Java中的缓冲区溢出漏洞及其危害,同时给出代码示例以帮助读者更好地理解。Java中广泛使用的缓冲区类有ByteBuffer、CharBuffer、ShortB

2月2日消息,微软软件工程部门经理ShaneJones最近发现OpenAI旗下的DALL-E3模型存在漏洞,据称可以生成一系列不适宜内容。ShaneJones向公司上报了该漏洞,但却被要求保密。然而,他最终还是决定向外界披露了这个漏洞。▲图源ShaneJones对外披露的报告本站注意到,ShaneJones在去年12月通过独立研究发现OpenAI文字生成图片的DALL-E3模型存在一项漏洞。这个漏洞能够绕过AI护栏(AIGuardrail),导致生成一系列NSFW不当内容。这个发现引起了广泛关注

Java中的逗号运算符漏洞和防护措施概述:在Java编程中,我们经常使用逗号运算符来同时执行多个操作。然而,有时候我们可能会忽略逗号运算符的一些潜在漏洞,这些漏洞可能导致意外的结果。本文将介绍Java中逗号运算符的漏洞,并提供相应的防护措施。逗号运算符的用法:逗号运算符在Java中的语法为expr1,expr2,可以说是一种序列运算符。它的作用是先计算ex

本篇文章给大家带来了关于PHP漏洞的相关知识,其中主要给大家总结介绍PHP的常见漏洞代码都有哪些,非常全面详细,下面一起来看一下,希望对需要的朋友有所帮助。

<ul><li><strong>点击进入:</strong>ChatGPT工具插件导航大全</li></ul><figureclass="imageimage--expandable"><imgsrc="/uploads/2023041

修复Linux系统中的常见漏洞是确保系统安全性的重要步骤。以下是修复常见漏洞的一般教程:更新系统补丁:及时更新操作系统的补丁是防止漏洞利用的关键步骤。使用包管理器(如yum、apt-get)检查并安装可用的系统更新。安装最新软件版本:更新系统上安装的软件到最新版本,因为新版本通常修复了已知漏洞。确保使用包管理器安装最新软件包。禁用不必要的服务和端口:检查系统上运行的服务和打开的端口,禁用不必要的服务和关闭未使用的端口。这减少了系统暴露给潜在攻击的机会。配置防火墙:设置和配置防火墙以限制网络流量和


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

Atom editor mac version download
The most popular open source editor

VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft

Dreamweaver CS6
Visual web development tools
