A while ago, two Russian security researchers reported a vulnerability in the ImageMagick image processing library deployed with countless Web servers. The researchers define it as a zero-day which has been used in live attacks.
It was called ImageTragick and identified via the CVE-2016–3714 vulnerability ID. The issue has a massive attack surface, since alongside the GD library, ImageMagick is one of the most used image processing toolkits around.
The researchers who discovered the vulnerability claim that there are more than one vulnerabilities in ImageMagick, however, the one they call ImageTragick has been used to compromise websites via malicious images uploaded on the server.
According to the two experts, the zero-day, which they say is trivial to execute, is still unpatched, but the ImageMagick project has been just notified.
Normally, such sensitive bug fixing operations would be carried out in complete privacy, however, the decision to go public was influenced by the fact that cyber criminals used the zero-day to compromise servers, while the researchers wanted to give webmasters the opportunity to mitigate the attacks.
The mitigation instructions are available on the website of ImageTragick. The proof-of-concept code will be published any minute.
Nevertheless, there is one condition here – users are allowed to upload files to the server, and a large number of websites do via “user avatar” options.
Although the two Russian researchers refused to reveal any clues regarding the exploitation routine, based on the mitigation advice, it certainly involves magic bytes and ImageMagick coders.
Magic bytes are the first few bytes of a file used programmatically to identify the image type (GIF, JPEG, PNG, etc.). ImageMagick coders are ImageMagick modules that read and write data to specific image file types.
According to the researchers, there’s an RCE (Remote Code Execution) bug somewhere in there, which lets hackers write code to the server.
If a hacker is skilled enough, he can upload a malicious image, which uses the zero-day to write a webshell to disk and uses it to take over control of the entire server.