Extreme photo-bombing: Bad ImageMagick bug puts countless websites at risk of hijacking
Apply mitigations now – poisoned selfies are in the wild
A wildly popular software tool used by websites to process people's photos can be exploited to execute malicious code on servers and leak server-side files.
Security bugs in the software are apparently being exploited in the wild right now to compromise at-risk systems. Patches to address the vulnerabilities are available in the latest source code – but are incomplete and have not been officially released, we're told.
Whenever you upload a profile photo, a gallery of snaps, or a silly meme to a website, there's an extremely high chance that the site is using ImageMagick, an open-source collection of image processing tools, to resize, crop and tweak the pictures.
By feeding booby-trapped data – such as a poisoned selfie – to web services using ImageMagick, it may be possible to execute malicious code on the website's server. From there hackers can start infiltrating the system to steal secrets, snoop on people's accounts, and so on.
Today the ImageMagick team announced: "We have recently received vulnerability reports ... they include possible remote code execution and ability to render files on the local system."
These vulnerabilities will be addressed in versions 7.0.1-1 and 6.9.3-10, which are due to be released by the weekend. In the meantime, it's recommended that developers sanity check the magic bytes in files sent to ImageMagick – and edit their policy.xml file to include these lines to block attacks. Web app coders should also investigate sandboxing ImageMagick to limit its access.
According to Slack security engineer Ryan Huber, "the exploit for this vulnerability is being used in the wild ... The exploit is trivial, so we expect it to be available within hours," and that the patches available right now are "incomplete."
It appears that details of the flaws leaked out before proper fixes could be crafted and released, and that this information is in the hands of exploit writers, meaning servers worldwide are now at risk. A researcher called Stewie, and Mail.ru security engineer Nikolay Ermishkin, are credited with uncovering the programming blunders.
Exact details of the vulnerabilities are not being disclosed at this time, but it's not hard to work out where they lie given the hints dropped so far. Essentially, create an image that eventually gets passed to one of these insecure delegates – which are commands that ImageMagick executes to process snaps.
ImageTragick: Upload(meme.png)->(IM detects non-png format based on file magic)->(IM uses insecure delegates to decode)->Shells!— HD Moore (@hdmoore) May 3, 2016
One of the bugs – the remote-code execution flaw – has the identifier CVE-2016–3714 and already has a name, logo and website: ImageTragick. More information and proof-of-concept exploitation code is expected to appear there shortly. ®