A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.
The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.
According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.
"The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
ImageMagick maintainers have also acknowledged the possibility of critical vulnerabilities allowing remote code execution. They haven't issued any patches, but they did suggest website administrators add several lines of code to configuration files to block at least some of the possible exploits. Huber has made the same recommendation and put the lines in this downloadable file. He went a step further by advising sites that use ImageMagick to also verify that all uploaded image files begin with the expected “magic bytes” corresponding to the image file types before allowing the files to be processed. Admins should consider temporarily suspending image uploading in cases where these mitigations can't immediately be put in place.
The code-execution bug was discovered by security researcher Nikolay Ermishkin, who is expected to release an advisory in the coming hours. Huber went public in an attempt to prevent malicious attacks after learning the vulnerability details were already being widely disseminated ahead of Ermishkin's planned disclosure. The code-execution vulnerability came to light after it was used in recent bug bounty submissions.
One attack scenario would involve a social media site, blogging service, or news site that accepts image uploads from untrusted end users. An attacker could upload a file ending with png, jpg, or another supported extension, even though the contents are in a different format. Once ImageMagick detects the mismatched format, it will attempt to transform the image into an intermediate format that in some cases results in an insecure decoding path. That condition, in turn, can lead to code execution on the server.
Huber said that the mitigations he recommended are effective against all of the exploit samples he has seen, but he went on to say there's no guarantee the measures will eliminate all types of attack. Until the full scope of the vulnerability is disclosed, people using ImageMagick should assume that the mitigations are incomplete. That means admins should monitor this vulnerability closely and be ready to put additional defenses in place. Another option is either to sanitize images before they're processed by ImageMagick or disable all formats except the ones needed.
The threat at least in part stems from ImageMagick supporting more than 200 different formats, including nroff (man pages) and postscript. In the longer term, admins should consider switching to GraphicMagick, an ImageMagick fork that supports a much smaller number of file types.