Monthly Archives: May 2016

Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition)

On 5/5/2016 ImageMagick was assigned CVE-2016-3714 “ImageMagick Delegate Arbitrary Command Execution”. Now let’s dig to this vulnerability and how to exploit this.  Having ImageMagick locally installed is advised in order to validate the POC (but not required). For this particular report, I created a file named  exploit.png with the following in the “source code” to get the target’s `id`:

 Continue reading