FreeBSD : ImageMagick -- multiple vulnerabilities (0d724b05-687f-4527-9c03-af34d3b094ec) (ImageTragick)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Openwall reports :

Insufficient filtering for filename passed to delegate's command
allows remote code execution during conversion of several file
formats. Any service which uses ImageMagick to process user-supplied
images and uses default delegates.xml / policy.xml, may be vulnerable
to this issue.

It is possible to make ImageMagick perform a HTTP GET or FTP request

It is possible to delete files by using ImageMagick's 'ephemeral'
pseudo protocol which deletes files after reading.

It is possible to move image files to file with any extension in any
folder by using ImageMagick's 'msl' pseudo protocol. msl.txt and
image.gif should exist in known location - /tmp/ for PoC (in real life
it may be web service written in PHP, which allows to upload raw txt
files and process images with ImageMagick).

It is possible to get content of the files from the server by using
ImageMagick's 'label' pseudo protocol.

See also :

http://www.openwall.com/lists/oss-security/2016/05/03/18
https://imagetragick.com/
http://www.nessus.org/u?df8826cc

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 90979 ()

Bugtraq ID:

CVE ID: CVE-2016-3714
CVE-2016-3715
CVE-2016-3716
CVE-2016-3717
CVE-2016-3718

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now