There are vulnerabilities in the image processing suite ImageMagick, including a remote code execution flaw.
ImageMagick is a free and open-source software package that allows users to display, convert and edit image files. The ImageMagick library sees use by image-processing plugins, which means the software is present in a large number of web applications.
While analyzing a flaw found by a researcher who uses the online moniker “Stewie,” Nikolay Ermishkin from the Mail.Ru security team discovered a remote code execution vulnerability related to insufficient filtering of shell characters.
The vulnerability, dubbed “ImageTragick,” can end up exploited by uploading a specially crafted file to a website that processes images using ImageMagick.
An attacker can create an exploit file and assign it an image extension, such as .png, in order to bypass the targeted site’s file type checks. ImageMagick determines the file type based on “magic bytes,” the first few bytes of a file specific to each file type. Once it detects it’s not an actual .png, ImageMagick converts the file and the malicious code ends up executed in the process, allowing the attacker to gain access to the targeted server.
An exploit for this vulnerability is publicly available and researchers said attackers have already used it.
ImageMagick developers attempted to patch the vulnerability with the release of versions 6.9.3-9 and 7.0.1-0 on April 30, but researchers said the fix is incomplete. Another patch will be included in ImageMagick 7.0.1-1 and 6.9.3-10, which should be out shortly.
In the meantime, users have been advised to disable vulnerable coders by modifying their policy files. Another mitigation involves verifying that magic bytes correspond to image file types before sending the file to ImageMagick for processing.
Other vulnerabilities found in ImageMagick can end up exploited to move, read or delete files (CVE-2016-3716, CVE-2016-3717 and CVE-2016-3715), and for server-side request forgery, or SSRF, attacks (CVE-2016-3718).