![]() Attackers can trigger CVE-2016-3715 to delete files using ImageMagick's ephemeral pseudo-protocol, CVE-2016-3716 to move image files to another arbitrary file via the msl pseudo-protocol, and read the content of the files from the server (CVE-2016-3717) using ImageMagick's label pseudo-protocol. The server-side request forgery vulnerability (CVE-2016-3718) lets attackers include arbitrary HTTP GET or FTP requests within the file. The remaining flaws also take advantage of ImageMagick's support for including external files. ImageMagick's "identify" tool is also vulnerable and cannot be used to filter files. While processing the initial file, ImageMagick would attempt to load those external references as well, which could trigger the flaw. ![]() The severity of the issue is compounded by the fact that ImageMagick supports an extensive list of file formats including those that can refer to external files. ![]() An attacker can pass a string with a shell-command appended to a URL, and because of insufficient filtering, the delegate winds up executing the unexpected command as well. For example, delegates have a default command that uses wget to handle HTTPS requests. "Due to insufficient %M param filtering, it is possible to conduct shell command injection," according to Ermishkin's disclosure on the oss-security mailing list. Within hours of Huber's post, there has been at least one report of a proof-of-concept on Twitter and an exploit on Hacker News.ĬVE-2016-3714 is a bug where filenames being passed to ImageMagick's delegates are insufficiently sanitized. "The exploit is trivial, so we expect it to be available within hours," said Huber. Huber preempted disclosure by a few hours because the remote code execution bug was already being used in the wild. The remote code execution flaw - ImageTragick (CVE-2016-3714) - and four other vulnerabilities in ImageMagick's image decoder were initially discovered by Nikolay Ermishkin, a security researcher for. Full disclosure on the heels of an exploit "Because these ImageMagick vulnerabilities are being exploited today to hijack websites, getting a public Metasploit module out quickly is critically important for defenders to test their mitigation strategies," said Tod Beardsley, senior security research manager at Rapid7 and Metasploit collaborator. HD Moore, the creator of the Metasploit penetration testing framework, promised a public Metasploit module by Wednesday. Web application developers can also investigate sandboxing ImageMagick, although the team did not provide any information on how to do so. At this time, it would be a good idea to switch to GD or other supported third-party tools to handle thumbnails and other image processing tasks.Īdministrators should also consider temporarily turning off image uploads on their Web applications until the patches are available and have been applied. For example, MediaWiki supports both the GD library and ImageMagick. Some Web applications give administrators a choice of image processing libraries. " are effective against all of the exploit samples we've seen, but we cannot guarantee they will eliminate all vectors of attack." "We recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!" the advisory said. It's also possible to remove support for HTTPS by deleting the policy from the delegates.xml configuration file. ImageMagick provided details on policies to block possible exploits on its user forums. The second is to use a policy file - the global policy.xml file is usually found in /etc/ImageMagick - to disable vulnerable ImageMagic coders. ![]() For GIF images, the first few bytes tend to start with the hex bytes "47 49 46 38," while JPEG files start with "FF D8." Check the list of magic bytes to identify other file types. The first recommendation is to verify that all image files begin with the expected "magic bytes" corresponding to the file types before sending them to ImageMagick for processing. A large number of websites are vulnerable to attack, and Web application developers and server administrators should immediately apply workarounds to mitigate the flaws. Many popular content management systems, blogging sites, and social media platforms use either the image processing tool or the library to resize, crop, and otherwise tweak images uploaded by users. The vulnerabilities affect both the ImageMagick software and the library, which is supported by more than a dozen other languages, including PHP (imagick), Ruby (rmagick and paperclip), Node.js (imagemagick), and Python. The fixes are expected to be available in versions 7.0.1-1 and 6.9.3-10, which are expected to be out by the weekend. The latest packages from the 6 and 7 branches, including the versions provided in Ubuntu 14.04 and OS X are all vulnerable.
0 Comments
Leave a Reply. |