Vulnerabilities > CVE-2005-4601 - Remote Command Execution vulnerability in Imagemagick 6.2.4.5
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The delegate code in ImageMagick 6.2.4.5-0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-045-03.NASL description New imagemagick packages are available for Slackware 10.2 and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20914 published 2006-02-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20914 title Slackware 10.2 / current : imagemagick (SSA:2006-045-03) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-045-03. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(20914); script_version("1.13"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2005-4601", "CVE-2006-0082"); script_xref(name:"SSA", value:"2006-045-03"); script_name(english:"Slackware 10.2 / current : imagemagick (SSA:2006-045-03)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New imagemagick packages are available for Slackware 10.2 and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.341682 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cb5a66ee" ); script_set_attribute( attribute:"solution", value:"Update the affected imagemagick package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:imagemagick"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.2", pkgname:"imagemagick", pkgver:"6.2.3_3", pkgarch:"i486", pkgnum:"2")) flag++; if (slackware_check(osver:"current", pkgname:"imagemagick", pkgver:"6.2.6_1", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-957.NASL description Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names. This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird. This update filters out the last seen 2020-06-01 modified 2020-06-02 plugin id 22823 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22823 title Debian DSA-957-2 : imagemagick - missing shell meta sanitising code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-957. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22823); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2005-4601"); script_bugtraq_id(16093); script_xref(name:"DSA", value:"957"); script_name(english:"Debian DSA-957-2 : imagemagick - missing shell meta sanitising"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names. This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird. This update filters out the '$' character as well, which was forgotten in the former update." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345238" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-957" ); script_set_attribute( attribute:"solution", value: "Upgrade the imagemagick packages. For the old stable distribution (woody) this problem has been fixed in version 5.4.4.5-1woody8. For the stable distribution (sarge) this problem has been fixed in version 6.0.6.2-2.6." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:imagemagick"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"imagemagick", reference:"5.4.4.5-1woody8")) flag++; if (deb_check(release:"3.0", prefix:"libmagick++5", reference:"5.4.4.5-1woody8")) flag++; if (deb_check(release:"3.0", prefix:"libmagick++5-dev", reference:"5.4.4.5-1woody8")) flag++; if (deb_check(release:"3.0", prefix:"libmagick5", reference:"5.4.4.5-1woody8")) flag++; if (deb_check(release:"3.0", prefix:"libmagick5-dev", reference:"5.4.4.5-1woody8")) flag++; if (deb_check(release:"3.0", prefix:"perlmagick", reference:"5.4.4.5-1woody8")) flag++; if (deb_check(release:"3.1", prefix:"imagemagick", reference:"6.0.6.2-2.6")) flag++; if (deb_check(release:"3.1", prefix:"libmagick++6", reference:"6.0.6.2-2.6")) flag++; if (deb_check(release:"3.1", prefix:"libmagick++6-dev", reference:"6.0.6.2-2.6")) flag++; if (deb_check(release:"3.1", prefix:"libmagick6", reference:"6.0.6.2-2.6")) flag++; if (deb_check(release:"3.1", prefix:"libmagick6-dev", reference:"6.0.6.2-2.6")) flag++; if (deb_check(release:"3.1", prefix:"perlmagick", reference:"6.0.6.2-2.6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2007-1340.NASL description Maintainance update fixing several security issues and bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27710 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27710 title Fedora 7 : GraphicsMagick-1.1.8-2.fc7 (2007-1340) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-1340. # include("compat.inc"); if (description) { script_id(27710); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:25"); script_cve_id("CVE-2005-4601", "CVE-2006-0082", "CVE-2006-4144", "CVE-2006-5456", "CVE-2007-1797"); script_xref(name:"FEDORA", value:"2007-1340"); script_name(english:"Fedora 7 : GraphicsMagick-1.1.8-2.fc7 (2007-1340)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Maintainance update fixing several security issues and bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-July/002982.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?626378b0" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-c++"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-c++-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-perl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/31"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC7", reference:"GraphicsMagick-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-c++-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-c++-devel-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-debuginfo-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-devel-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-perl-1.1.8-2.fc7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "GraphicsMagick / GraphicsMagick-c++ / GraphicsMagick-c++-devel / etc"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-024.NASL description The delegate code in ImageMagick 6.2.4.x allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. (CVE-2005-4601) A format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3, and other versions, allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. (CVE-2006-0082) The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20818 published 2006-01-29 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20818 title Mandrake Linux Security Advisory : ImageMagick (MDKSA-2006:024) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-246-1.NASL description Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user last seen 2020-06-01 modified 2020-06-02 plugin id 21054 published 2006-03-13 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21054 title Ubuntu 4.10 / 5.04 / 5.10 : imagemagick vulnerabilities (USN-246-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0178.NASL description Updated ImageMagick packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A shell command injection flaw was found in ImageMagick last seen 2020-06-01 modified 2020-06-02 plugin id 21888 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21888 title CentOS 3 / 4 : ImageMagick (CESA-2006:0178) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0178.NASL description Updated ImageMagick packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A shell command injection flaw was found in ImageMagick last seen 2020-06-01 modified 2020-06-02 plugin id 20922 published 2006-02-15 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20922 title RHEL 2.1 / 3 / 4 : ImageMagick (RHSA-2006:0178)
Oval
| accepted | 2013-04-29T04:04:55.297-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | The delegate code in ImageMagick 6.2.4.5-0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10353 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | The delegate code in ImageMagick 6.2.4.5-0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20060301-01.U.asc
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345238
- http://rhn.redhat.com/errata/RHSA-2006-0178.html
- http://secunia.com/advisories/18261
- http://secunia.com/advisories/18607
- http://secunia.com/advisories/18631
- http://secunia.com/advisories/18871
- http://secunia.com/advisories/19183
- http://secunia.com/advisories/19408
- http://secunia.com/advisories/23090
- http://secunia.com/advisories/28800
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.341682
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-231321-1
- http://www.debian.org/security/2006/dsa-957
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:024
- http://www.novell.com/linux/security/advisories/2006_06_sr.html
- http://www.osvdb.org/22121
- http://www.securityfocus.com/archive/1/452718/100/100/threaded
- http://www.securityfocus.com/bid/16093
- http://www.ubuntu.com/usn/usn-246-1
- http://www.vupen.com/english/advisories/2008/0412
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23927
- https://issues.rpath.com/browse/RPL-389
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10353