关联漏洞
标题:
ImageMagick 输入验证错误漏洞
(CVE-2016-3714)
描述:ImageMagick是美国ImageMagick公司的一套开源的图像处理软件。该软件可读取、转换或写入多种格式的图片。 ImageMagick 6.9.3-10之前版本和7.0.1-1之前7.x版本存在输入验证错误漏洞,该漏洞源于程序没有充分过滤用户传入的shell字符。攻击者可通过上传恶意的图像利用该漏洞执行任意代码,获取敏感信息。
描述
Fix ImageMagick Command Injection (CVE-2016-3714) with Ansible.
介绍
Ansible Role: CVE-2016-3714
=========
[](https://travis-ci.org/chusiang/CVE-2016-3714.ansible.role) [](https://galaxy.ansible.com/chusiang/CVE-2016-3714/)
Fix **ImageMagick Command Injection (CVE-2016-3714)** security issue with Ansible.
Requirements
------------
Any installed imagemagick and before v6.7.7.10 machine.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml.
policy_path: "/etc/ImageMagick/policy.xml"
injection_src: "/etc/passwd"
injection_dest: "/tmp/hack.txt"
Dependencies
------------
none.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: chusiang.CVE-2016-3714 }
License
-------
Copyright (c) chusiang from 2016 under the MIT license.
文件快照
[4.0K] /data/pocs/19da9a644744ba637b012aa012ae13910a313725
├── [4.0K] defaults
│ └── [ 157] main.yml
├── [1.1K] LICENSE
├── [ 190] Makefile
├── [4.0K] meta
│ └── [1.7K] main.yml
├── [1.1K] README.md
├── [ 109] requirements.yml
├── [ 320] setup.yml
├── [4.0K] tasks
│ ├── [ 860] fix_imagemagick_injection.yml
│ └── [ 402] main.yml
├── [4.0K] templates
│ ├── [ 152] exploit.png.j2
│ └── [2.6K] policy.xml.j2
├── [4.0K] tests
│ ├── [ 659] Dockerfile.debian7
│ ├── [ 659] Dockerfile.debian8
│ ├── [ 667] Dockerfile.ubuntu1204
│ └── [ 663] Dockerfile.ubuntu1404
└── [1.6K] Vagrantfile
5 directories, 16 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。