ImageMagick is a popular software suite that is used to display, convert, and edit images. On May 3, security researchers publicly disclosed multiple vulnerabilities in the open-source image processing tool in this suite, one of which could potentially allow remote attackers to take over websites.
This suite can read and write images in over 200 formats including PNG, JPEG-2000, GIF, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Content management systems frequently use it to process any images before they are shown to the user.
The developers of ImageMagick have released updated versions of their software to fix these vulnerabilities. One vulnerability, CVE-2016-3714, allows for remote code execution on the server. This could be used to compromise Web servers and take over websites. Reports indicate that this vulnerability is already being exploited in the wild. Other reported vulnerabilities allow for HTTP/GET requests to be made from the server and for files to be read, moved, or deleted. Proof of concept code for these vulnerabilities is made available by the researchers.
Users for Trend Micro Deep Security and TippingPoint have been already protected from any threats that may exploit these vulnerabilities.
Details of the vulnerability, CVE-2016-3714
ImageMagick allows for files to be processed by external libraries. This feature is called ‘delegate’. These commands defined in the command string (‘command’) in the configuration file delegates.xml with actual value for different params (input/output filenames etc). One of the default delegate’s commands is used to handle HTTPS requests:
<delegate decode=”https” command=””curl” -s -k -o “%o” “https:%M””/>
Unfortunately, the input field %M is not sanitized. It is possible to pass a value like ‘https://sample.com”|ls “-la’ to execute the shell command ‘ls -la‘. Once this command line runs, wget or curl (both commonly-used command-line utilities) would execute and run the ls –la command as well, The output would be something like this:
$ convert ‘https://sample.com”|ls “-la’ out.png
drwxr-xr-x 2 root root 4096 May 4 21:36 .
drwx—— 5 root root 12288 May 4 20:47 ..
-rw-r–r– 1 root root 481 May 4 19:27 Test.png
-rw-r–r– 1 root root 543 May 4 15:13 convertimage.php
Severity of the disclosed vulnerabilities in ImageMagick
There are 5 vulnerabilities in ImageMagick, which are as follows:
- CVE-2016-3714: remote command execution on .svg/.mvg file uploads. By uploading a malicious file, an attacker can force a shell command to be executed on the server.
- CVE-2016-3715: remote file deletion when using the “ephemeral:/” protocol, an attacker can remove files from the server.
- CVE-2016-3716: remote file moving using the “msl:/” pseudo protocol, the attacker can move files around.
- CVE-2016-3717: file content read using the “label:@” protocol.
- CVE-2016-3718: server-side request forgery, an attacker can force the server to connect to malicious domain by a crafted file
Based on our analysis of these vulnerabilities, we could say that attackers have a wide range of options and tools to compromise a web server that uses ImageMagick.
Who is at risk?
Any server not running the latest versions of ImageMagick (7.0.1-1 or 6.9.3-10) would be at risk. Servers that are used for shared hosting or allow user uploads of files are at particular risk, as it would be easier for a malicious user to upload an “image” that contains malicious code.
How to check if your website is vulnerable
Users can verify if their servers are vulnerable to these flaws by running these commands from the command line:
- “$ convert –version”: If the version is not 7.0.1-1 or 6.9.3-10, your site could be vulnerable.
- “$ convert ‘https:”;echo It Is Vulnerable”‘ – 2>&-“: If the output is “It Is vulnerable”, then you should patch it as soon as possible.
We recommend that server administrators immediately implement to protect servers:
- Patches have already released; we recommend upgrading to the latest version.
- Verify that uploaded images begin with the expected “magic bytes” corresponding to image file types before these are processed. This is to ensure that the “images” being uploaded actually are images, and not exploits.
- Modify the policy file policy.xml to change some ImageMagick settings. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. Details can be found at the ImageMagick support forum.
Trend Micro Solutions:
Trend Micro Deep Security protect user systems from any threats that may exploit these vulnerabilities via the following DPI rule:
- 1007610 – Identified Usage Of ImageMagick Pseudo Protocols
- 1007609 – ImageMagick Remote Code Execution Vulnerability (CVE-2016-3714)
- 1007611 – ImageMagick Remote Code Execution Vulnerability (CVE-2016-3714) – 1
TippingPoint customers will be protected from attacks exploiting this vulnerability with the following MainlineDV filter that will be made avail on May 10:
- 24579: HTTP: ImageMagick MVG Various Delegate Command Usage
- 24580: HTTP: ImageMagick MVG Various Delegate Command Usage
- 24583: HTTP: ImageMagick MVG Delegate Command Injection Vulnerability
- 24584: HTTP: ImageMagick SVG Delegate Command Injection Vulnerability
TippingPoint has posted a Customer Shield Writer (CSW) for these vulnerabilities that are available for customers to download on TMC.
Updated on May 10, 2016, 03:20 PM (UTC-7):
We updated this entry to add TippingPoint and a DPI rule as our solutions.