Vulnerability in ImageMagick threatens large number of websites
A large number of websites are susceptible to an attack in which malicious parties can execute malicious code by uploading an image with erroneous code to, for example, a photo album. There is a workaround; a patch will be available this weekend.
Details of the security bug were leaked before ImageMagick versions 7.0.1 and 6.9.3 could be patched, already exploiting the vulnerability. One of the bugs already has a resume number CVE-2016-3714 and also a name: ImageTragick. The bug was discovered by researcher Stewie. Nikolay Ermishkin of Mail.ru found other problems, such as the ability to run code remotely.
ImageMagick advises users of the application on web servers to add a few lines of code to the policy.xml file. HTTPS users are advised to also modify code in the delegates.xml file. At least some of the exploits are negated by the modified files.
The ImageTragick site, created by Slack developer and security researcher Ryan Huber, recommends checking each image file uploaded for the “magic bytes” that should be at the beginning of each image file. Only if these are correct, an image file should be processed. Magic bytes are the first few bytes of a file type that allow the type to be verified. For example, a jpeg file starts with ‘FF D8’. The whole list is on Wikipedia.
Possible attack scenarios are that a malicious person uploads a file with an extension such as jpg, png or another image extension. ImageMagick will then try to understand the file and convert the image into an intermediate format. In some cases, this can lead to an insecure way of decrypting and subsequently executing malicious code on a server, or remote code execution.
It is not yet clear whether all the problems have surfaced yet. Until then, according to Huber, the workarounds cannot be trusted either. The problem exists in part because ImageMagick supports more than 200 different formats. One possibility for the future is to use the GraphicMagick fork, which supports a much smaller number of file types, Ars Technica writes.
ImageMagick is a widely used image processing library that is supported by PHP, Ruby, NodeJS, Python, among others. Many content management systems, social media sites, blogs, and the like use ImageMagick directly or indirectly to resize or apply other image processing to images.