[CVE-2016-3714] ImageMagick Delegate Arbitrary Command Execution Using Metasploit

May 10, 2016 09:48 AM

This module exploits a shell command injection in the way "delegates"

(commands for converting files) are processed in ImageMagick versions

<= 7.0.1-0 and <= 6.9.3-9 (legacy).

Since ImageMagick uses file magic to detect file format, you can create

a .png (for example) which is actually a crafted SVG (for example) that

triggers the command injection.

Tested on Linux, BSD, and OS X. You'll want to choose your payload

carefully due to portability concerns. Use cmd/unix/generic if need be.

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

[CVE-2016-3714] ImageMagick Delegate Arbitrary Command Execution Using Metasploit

Related Articles

How to Use Zero-Width Characters to Hide Secret Messages in Text (& Even Reveal Leaks)

How to Hide DDE-Based Attacks in MS Word

Comments

No Comments Exist