Critical flaws in ImageMagick library expose websites to hacking
Security researchers have discovered a serious vulnerability in ImageMagick, an image processor used by millions of websites. A large number of websites are vulnerable that are somewhat “trivial” exploits that allows hackers to run malicious code on a targeted website using uploaded images.
The vulnerability, CVE-2016-3714 was discovered by “Stewie” and security researcher Nikolay Ermishkin from the Russian internet services company Mail.Ru Group. Dubbed as ImageTragick, a website, that has been created for website admins and developers, which has comprehensive information about the multiple vulnerabilities. It also includes mitigation advice until a patch is rolled out by the company.
ImageMagick is a free, popular open-source, image-processing library used to create, edit and convert images in a variety of formats that is supported by PHP, Ruby, Python and other languages. It’s ambiguous enough that many webmasters probably do not even realize they are using it.
If exploited, CVE-2016-3714 allows malicious image uploads to trick ImageMagick into running commands, giving attackers the opportunity to perform remote code execution on compromised domains. This could permit hackers to hijack domains, distribute malware and steal data.
ImageMagick, who is aware of the flaws, has attempted to fix it in versions 7.0.1-1 and 6.9.3-10 to address the vulnerability in previous software versions. However, the Mail.Ru researchers called these measures “incomplete.”
According to website security firm Suciri, who published an independent analysis on the vulnerability, recent versions of ImageMagick do not filter the file names of uploaded images properly before passing them on to the server processes such as HTTPS. This allows the attackers to accomplish commands of their choice, leading to a full remote command capability due to the omission.
Many social media sites, blogs and content management systems rely on ImageMagick-based processing, either directly or indirectly, to resize images uploaded by users.
“The vulnerability is very simple to exploit,” Sucuri founder and CTO Daniel Cid wrote. “An attacker only needs an image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.”
While security researchers have already developed Proof-of-concept (PoC) exploits, there is also evidence that people other than ImageMagick developers and security researchers have been fiddling with the flaw.
Administrators and developers are encouraged to verify the integrity of all uploaded image files and temporarily suspend image uploaded in cases where mitigations cannot be immediately implemented. Additionally, ImageMagick developers have recommended a policy-based mitigation approach on their support forum.