A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.
The vulnerability resides in ImageMagick, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.
According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker’s choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.
“The exploit is trivial, so we expect it to be available within hours of this post,” Huber wrote in a blog post published Tuesday. He went on to say: “We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them.
Update, May 4, 2016: 3:55: Almost 24 hours after this post went live, researchers from website security firm Suciri published an independent analysis that concurs with Huber’s assessment. It also sheds new light on how the exploit works. They said that recent versions of ImageMagick don’t properly filter the uploaded file names before passing them to the server processes such as HTTPS. The ommission allows attackers to execute commands of their choosing, leading to a full remote command capability.
“The vulnerability is very simple to exploit,” Sucuri founder and CTO wrote in Wednesday’s post. “An attacker only needs an image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.”
ImageMagick maintainers have also acknowledged the possibility of critical vulnerabilities allowing remote code execution. They haven’t issued any patches, but they did suggest website administrators add several lines of code to configuration files to block at least some of the possible exploits. Huber has made the same recommendation and put the lines in this downloadable file. He went a step further by advising sites that use ImageMagick to also verify that all uploaded image files begin with the expected “magic bytes” corresponding to the image file types before allowing the files to be processed. Admins should consider temporarily suspending image uploading in cases where these mitigations can’t immediately be put in place.
The code-execution bug was discovered by security researcher Nikolay Ermishkin, who is expected to release an advisory in the coming hours. Huber went public in an attempt to prevent malicious attacks after learning the vulnerability details were already being widely disseminated ahead of Ermishkin’s planned disclosure. The code-execution vulnerability came to light after it was used in recent bug bounty submissions.
One attack scenario would involve a social media site, blogging service, or news site that accepts image uploads from untrusted end users. An attacker could upload a file ending with png, jpg, or another supported extension, even though the contents are in a different format. Once ImageMagick detects the mismatched format, it will attempt to transform the image into an intermediate format that in some cases results in an insecure decoding path. That condition, in turn, can lead to code execution on the server.
Huber said that the mitigations he recommended are effective against all of the exploit samples he has seen, but he went on to say there’s no guarantee the measures will eliminate all types of attack. Until the full scope of the vulnerability is disclosed, people using ImageMagick should assume that the mitigations are incomplete. That means admins should monitor this vulnerability closely and be ready to put additional defenses in place. Another option is either to sanitize images before they’re processed by ImageMagick or disable all formats except the ones needed.
The threat at least in part stems from ImageMagick supporting more than 200 different formats, including nroff (man pages) and postscript. In the longer term, admins should consider switching to GraphicMagick, an ImageMagick fork that supports a much smaller number of file types. Update: About 40 minutes after this post went live, security researcher Dan Tentler said he has developed a working proof-of-concept exploit.