Large Number Of Websites And Organisations Vulnerable To Simple ImageMagick Hack

A tool called ImageMagick that is used by countless websites and companies for resizing user-submitted images has been found to have critical vulnerabilities that allow hackers to execute malicious code. This can be done simply by submitting a dodgy image for ImageMagick to process and attackers may have already exploited this gaping security hole to force their way onto targeted web servers. Here's what you need to know.

Selfie image from Shutterstock

ImageMagick is an open source image processing software suite used to manipulate images in the command line and through various plugins. It has existed for over 25 years. A vast number of websites rely on it to resize user-submitted pictures and organisations are known to use ImageMagick for batch processing of images such as when customers submit paperwork through email in the form of file attachments.

ImageMagick works discretely in the background of numerous websites and blogs so many people may be unaware that they're even using it. The fact it supports a wide variety of image formats and programming languages has ensured ImageMagick's enduring popularity with developers.

The exploits, discovered by Russian researchers at Mail.ru, allow attackers to perform remote code execution on a web server by submitting a dodgy image to a website or web service that uses ImageMagick. Attackers can manipulate an image file to mask the malicious contents and once that is processed through ImageMagick, it triggers the software to run commands that allow hackers to gain access to web servers. From there, they can then take over legitimate websites for phishing, data theft and ransomware purposes.

Considering how many websites, blogs and social media platforms allow for user-submitted images and are likely to be running ImageMagick, this security vulnerability can do a lot of damage. Security vendor Sophos has recommended that, as a starting point, if you have a hosted website or blog, ask your hosting provider if they use ImageMagick.

The community in charge of maintaining ImageMagick has yet to provide a patch for the exploits but are working to release one very soon. In the meantime, there are ways to mitigate the vulnerabilities, albeit not completely. According to security researcher Ryan Huber who wrote a blog detailing the ImageMagick hack:

"If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!):

  • Verify that all image files begin with the expected "magic bytes" corresponding to the image file types you support before sending them tos ImageMagick for processing.
  • Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL."

Organisations that do perform batch image processing should also check to see if they are using ImageMagick and take recommended steps to combat the vulnerabilities.

You can find additional details on mitigating the ImageMagick hack over at Huber's blog post.

[Via Medium, Sophos and ImageMagick]


Comments

    For anyone wondering, wordpress uses GD as apposed to ImageMagick unless forced via a plugin ,etc. a New version of IM is expected for release this weekend. in the meantime as mentioned you can modify the config to prevent RCE

Join the discussion!