oss-security - Re: ImageMagick Is On Fire -- CVE-2016-3714

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 3 May 2016 21:01:43 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

On Tue, May 03, 2016 at 08:42:30PM -0500, Bob Friesenhahn wrote:
> >This appears to be executed via:
> >https://sourceforge.net/p/graphicsmagick/code/ci/default/tree/magick/delegate.c
> >which tries to escape arguments using UnixShellTextEscape(). This function
> >appears to replace \`"$ chars with backslash-escaped versions. I'm not
> >sure this is a safe mechanism either.
> 
> Please provide me with a working exploit.

Sorry, exploits aren't my strong suite.

Shells are crazy things though -- | & || && and ; make it easy to execute
additional commands. * ? {} and [] make it easy to turn "single" arguments
into many arguments or get forbidden characters from the filesystem into
the command line anyway. - can change behaviours of called programs. etc etc.

> Be aware that this quoting method is only used for the few delegates.mgk
> rules which require shell-like syntax to work. Otherwise the external
> program is run using execvp() without a shell.

Now this I love to hear. execve() makes me happy.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.