oss-sec mailing list archives
Re: ImageMagick Is On Fire -- CVE-2016-3714
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 3 May 2016 21:01:43 -0700
On Tue, May 03, 2016 at 08:42:30PM -0500, Bob Friesenhahn wrote:
This appears to be executed via: https://sourceforge.net/p/graphicsmagick/code/ci/default/tree/magick/delegate.c which tries to escape arguments using UnixShellTextEscape(). This function appears to replace \`"$ chars with backslash-escaped versions. I'm not sure this is a safe mechanism either.Please provide me with a working exploit.
Sorry, exploits aren't my strong suite. Shells are crazy things though -- | & || && and ; make it easy to execute additional commands. * ? {} and [] make it easy to turn "single" arguments into many arguments or get forbidden characters from the filesystem into the command line anyway. - can change behaviours of called programs. etc etc.
Be aware that this quoting method is only used for the few delegates.mgk rules which require shell-like syntax to work. Otherwise the external program is run using execvp() without a shell.
Now this I love to hear. execve() makes me happy. Thanks
Attachment:
signature.asc
Description:
Current thread:
- ImageMagick Is On Fire -- CVE-2016-3714 Ryan Huber (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Solar Designer (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Karim Valiev (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Tim (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Brandon Dees (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Karim Valiev (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Solar Designer (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Jeremy Stanley (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Kurt Seifried (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon McVittie (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 John Lightsey (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 20)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon Lees (May 20)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Thomas Klausner (May 19)