ImageTragick: A RCE vulnerability in ImageMagick

Introduction

Multiple vulnerabilities in ImageMagick have been discovered. When submitted images are processed, one of these vulnerabilities can lead to remote code execution (RCE).

Description

ImageMagick is a software tool which is commonly used by webservices to process images. This package is at least used by the following image processing plugins: PHP's imagick, Ruby's rmagick and paperclip, and nodejs's imagemagick. Note that this is no exhaustive list.

Who is affected

The main risk is for webservers.
ImageMagick is cross-platform so the vulnerability can affect Windows and Linux servers alike.

If you run a webservice which allows visitors to upload pictures, check (or have your provider check) whether the libraries/plugins used to handle the images use ImageMagick.

Impact

Since one of the vulnerabilities allows for remote code execution (RCE), the impact can be the following, but is not limited to:

  • data leakage;
  • credential theft;
  • denial of service of the system

This is a bug which is relatively easy to exploit, so we expect it to be used in the wild.

What should I do?

These vulnerabilities can be mitigated by doing one of the following:

  • Edit the policy.xml (usually found in /etc/ImageMagick) file and include these lines. This will disable the vulnerable coders.
  • By checking whether images begin with the expected magic bytes, before sending them to ImageMagick to be processed. Magic bytes, are the first few bytes of a file used to identify it's type;

Updates will be made available by ImageMagick this weekend for versions 7.0.1-1 and 6.9.3-10.

External resources

  1. https://www.imagetragick.com/
  2. http://www.theregister.co.uk/2016/05/03/imagemagick/
  3. https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
  4. https://gist.github.com/rawdigits/d73312d21c8584590783a5e07e124723