After word spread last week of a remote code execution (RCE) vulnerability in the image-processing software ImageMagick, bad actors immediately went to work trying to exploit it in the wild. This included multiple attempts to test the flaw's viability for future abuse, as well as exploits that created backdoors or reverse shells for communicating with a command and control center, according to several research reports.
The security analyst primarily credited with discovering the vulnerability in the first place, Nikolay Ermishkin from Russian Internet services company Mail.Ru Group, shed even more light on the threat in an email interview with SCMagazine.com.
The flaw stems from insufficient parameter filtering of user-added .mvg files. The .mvg file format is closely associated with the ImageMagick program, which allows websites, blogs and content management systems to process and modify user-added images (such as user profile photos). Hackers can exploit this threat by disguising maliciously crafted .mvg-based files as seemingly benign .jpgs and other image files, resulting in arbitrary code execution.
Ermishkin told SCMagazine.com that he came to discover the program after a bug-bounty researcher with the alias “Stewie” demonstrated how he was able to use .mvg files to break into and read files in one of Mail.Ru's services. The company fixed the vulnerability that evening, “but the attack vector was very interesting, so I spent several evenings after work investigating additional opportunities of this exploit,” said Ermishkin.
After discovering several minor vulnerabilities, he came across ImageTragick's RCE vulnerability, which was disturbingly simple to exploit. “Before the fix became available, you could download such an image to a file hosting service or attach it to an email and execute arbitrary code on their servers. You don't have to be a professional hacker to do it, even a child can download images to all available places,” Ermishkin explained.
Several IT researchers have already detailed some of the ways hackers continue to capitalize on unpatched versions of ImageMagick. (ImageMagick has issued updates for versions 7.0.1-1 and 6.9.3-10, and has recommended workarounds for older versions.)
“It seems like the attackers are targeting forum-based sites, as they generally allow open user registration and avatar uploads, which are the requirements for ImageTragick,” said Daniel Cid, founder and CTO of Sucuri, in an email interview with SCMagazine.com. “Either they try to create a reverse shell using bash or try to download a backdoor to give them access to the site.” Cid expressed concern that cybercriminals could exploit these form-based sites “to steal user, emails and password databases from them, which might lead to more password leaks, in addition to common malware and spam injections.”
In its blog post, Sucuri cited a particularly interesting observed attack that uses a bot to scan for URLs that allow multiple file uploads. Whenever it finds one, the payload sends a malicious file, disguised as a .jpg., which creates a reverse shell that enables communication with a C&C server with a Taiwanese IP address.
Separately, CloudFlare reported that the most common malicious payloads used by ImageTragick attackers so far have been created for the purpose of testing and reconnaissance. “They try something to see if a vulnerability works on a particular website, and then come back later” to download even more complex malware, said CloudFlare programmer John Graham-Cumming in an interview with SCMagazine.com.
CloudFlare also found a number of remote-access payloads, include one that downloads and executes a Python-based code that lets attackers interact directly with an affected website's web server via a shell program. In one instance, attackers hid the python program in the victim computer's memory instead of on the disk where it could be detected, noted Graham-Cumming, who said CloudFlare started monitoring for malicious .mvg payloads within 12 hours of ImageTragick's disclosure, and immediately began identifying attacks.
“Two years ago, researchers jokingly said that it was time to look for vulnerabilities in ImageMagick and now RCE in ImageMagick is reality,” said Ermishkin. “You should take the possibility of such attacks into account while designing the architecture of your projects. Thus, you should process untrusted data received from users in a sandbox environment to prevent such vulnerabilities from completely compromising your service.”