| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.3 | $0-$5k | 0.14 |
Summary
A vulnerability classified as critical has been found in ImageMagick. This vulnerability affects the function popen of the component File Open Handler. The manipulation with the input |<command> leads to access control.
This vulnerability is referenced as CVE-2016-5118. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
It is recommended to apply a patch to fix this issue.
Details
A vulnerability was found in ImageMagick (Image Processing Software) (version now known). It has been rated as critical. This issue affects the function popen of the component File Open Handler. The manipulation with the input value |<command> leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbitrary code via a | (pipe) character at the start of a filename.
The weakness was published 05/30/2016 by Cristy as Add support for SanitizeString() method as confirmed git commit (GIT Repository). It is possible to read the advisory at git.imagemagick.org. The identification of this vulnerability is CVE-2016-5118 since 05/29/2016. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
The exploit is available at vuldb.com. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 91555 (openSUSE Security Update : ImageMagick (openSUSE-2016-700)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 196489 (Ubuntu Security Notification for Imagemagick Vulnerabilities (USN-2990-1)). The code used by the exploit is:
rm -f hello.txt convert '|echo Hello > hello.txt;' null: ls hello.txt
Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.imagemagick.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:
MagickExport char *SanitizeString(const char *source)
{
char
*sanitize_source;
const char
*q;
register char
*p;
static char
whitelist[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 "
"$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&=";
sanitize_source=AcquireString(source);
p=sanitize_source;
q=sanitize_source+strlen(sanitize_source);
for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist))
*p='_';
return(sanitize_source);
}The vulnerability is also documented in the databases at Tenable (91555), SecurityFocus (BID 90938†) and SecurityTracker (ID 1035984†). Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Name
License
Website
- Product: https://www.imagemagick.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.8VulDB Meta Temp Score: 9.3
VulDB Base Score: 9.8
VulDB Temp Score: 8.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 91555
Nessus Name: openSUSE Security Update : ImageMagick (openSUSE-2016-700)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 860034
OpenVAS Name: SuSE Update for ImageMagick openSUSE-SU-2016:1653-1 (ImageMagick)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: git.imagemagick.org
Suricata ID: 2022846
Suricata Class: 🔍
Suricata Message: 🔍
Timeline
05/29/2016 🔍05/29/2016 🔍
05/30/2016 🔍
05/30/2016 🔍
05/30/2016 🔍
05/31/2016 🔍
06/10/2016 🔍
06/10/2016 🔍
11/19/2024 🔍
Sources
Product: imagemagick.orgAdvisory: Add support for SanitizeString() method
Researcher: Cristy
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2016-5118 (🔍)
GCVE (CVE): GCVE-0-2016-5118
GCVE (VulDB): GCVE-100-87695
OVAL: 🔍
SecurityFocus: 90938 - ImageMagick CVE-2016-5118 Remote Command Execution Vulnerability
SecurityTracker: 1035984
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 05/31/2016 11:23Updated: 11/19/2024 22:44
Changes: 05/31/2016 11:23 (82), 12/22/2018 10:45 (12), 11/19/2024 22:44 (17)
Complete: 🔍
Cache ID: 216:763:103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.