Forum Thread: [CVE-2016-3714] ImageMagick Delegate Arbitrary Command Execution Using Metasploit

[CVE-2016-3714] ImageMagick Delegate Arbitrary Command Execution Using Metasploit

This module exploits a shell command injection in the way "delegates"
(commands for converting files) are processed in ImageMagick versions
<= 7.0.1-0 and <= 6.9.3-9 (legacy).

Since ImageMagick uses file magic to detect file format, you can create
a .png (for example) which is actually a crafted SVG (for example) that
triggers the command injection.

Tested on Linux, BSD, and OS X. You'll want to choose your payload
carefully due to portability concerns. Use cmd/unix/generic if need be.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active