Not a Pretty Picture: ImageMagick flaw enables remote code execution via uploaded images
A serious vulnerability discovered in ImageMagick, dubbed ImageTragick, could allow bad actors to remotely execute malicious code via sabotaged image files.
Open-source image processing software provider ImageMagick has issued patches and workarounds for a series of recently disclosed vulnerabilities, including one that could allow hackers to remotely execute code via the uploading of maliciously crafted images.
At least one researcher, Ryan Huber, who performs IT security services for Slack, has stated that it is “being used in the wild,” although in an emailed statement to SCMagazine.com, an ImageMagick spokesperson wrote, “We are not personally aware of any specific incidents.” Another security expert, Dan Tentler, founder of Phobos Group, was able to quickly build an exploit and tweeted the proof.
Able to read and write over 200 image file formats, ImageMagick is used in many social media websites, online blogs and content management systems, and its library is leveraged by numerous image-processing plugins.
The vulnerabilities were discovered by Nikolay Ermishkin and "Stewie" — two security researchers associated with the Russian Internet services company Mail.Ru Group. Details on the flaw were revealed today by Mail.Ru via Openwall after the news initially surfaced on an online forum, prompting concerns that bad actors would quickly capitalize. SCMagazine.com has reached out to Mail.Ru and will update this report upon receiving a response. ImageMagick acknowledged the vulnerabilities in lesser detail yesterday on its website.
Of chief concern among the vulnerabilities is CVE-2016-3714, which Huber's website refers as ImageTragick. The vulnerability stems from the insufficient parameter filtering of user-added files that contain external libraries. This flaw makes it possible for bad actors to execute a shell command injection, resulting in remote code execution during the conversion of certain file formats.
In other words, hackers can embed malicious code into seemingly benign image files in order to gain control of a machine. Even if the corrupted file is not in a traditional image file format, the hacker can most likely sneak it past ImageMagick's file check process by simply renaming the file extension—to .jpg or .png, for instance. "ImageMagick tries to guess the type of the file by its content, so exploitation doesn't depend on the file extension,” explained the Mail.Ru vulnerability disclosure.
There were four other disclosed vulnerabilities, the consequences of which potentially include the execution of HTTP GET or FTP requests, and the unauthorized deletion, moving and reading of files using various “pseudo protocols.”
ImageMagick responded by developing patches for versions 7.0.1-1 and 6.9.3-10 (The latter should be available by the weekend, the company stated.) However, Mail.Ru in its disclosure called these measures “incomplete.”
For other versions, ImageMagick has developed a workaround, recommending that users add several statements to their policy.xml configuration file in order to disable vulnerable coders. “For HTTPS, you can also remove support by deleting it from the delegates.xml configuration file,” the company added. For extra security, Mail.Ru also recommends that users “verify that all image files begin with the expected ‘magic bytes' corresponding to the image file types you support before sending them to ImageMagick for processing.”