Administrators should also consider temporarily turning off image uploads on their Web applications until the patches are available and have been applied.
Web application developers can also investigate sandboxing ImageMagick, although the team did not provide any information on how to do so.
HD Moore, the creator of the Metasploit penetration testing framework, promised a public Metasploit module by Wednesday. "Because these ImageMagick vulnerabilities are being exploited today to hijack websites, getting a public Metasploit module out quickly is critically important for defenders to test their mitigation strategies," said Tod Beardsley, senior security research manager at Rapid7 and Metasploit collaborator.
Full disclosure on the heels of an exploit
The remote code execution flaw -- ImageTragick (CVE-2016-3714) -- and four other vulnerabilities in ImageMagick's image decoder were initially discovered by Nikolay Ermishkin, a security researcher for Mail.ru. Huber preempted disclosure by a few hours because the remote code execution bug was already being used in the wild. "The exploit is trivial, so we expect it to be available within hours," said Huber. Within hours of Huber's post, there has been at least one report of a proof-of-concept on Twitter and an exploit on Hacker News.
CVE-2016-3714 is a bug where filenames being passed to ImageMagick's delegates are insufficiently sanitized. "Due to insufficient %M param filtering, it is possible to conduct shell command injection," according to Ermishkin's disclosure on the oss-security mailing list. For example, delegates have a default command that uses wget to handle HTTPS requests. An attacker can pass a string with a shell-command appended to a URL, and because of insufficient filtering, the delegate winds up executing the unexpected command as well.
The severity of the issue is compounded by the fact that ImageMagick supports an extensive list of file formats including those that can refer to external files. While processing the initial file, ImageMagick would attempt to load those external references as well, which could trigger the flaw. ImageMagick's "identify" tool is also vulnerable and cannot be used to filter files.
The remaining flaws also take advantage of ImageMagick's support for including external files. The server-side request forgery vulnerability (CVE-2016-3718) lets attackers include arbitrary HTTP GET or FTP requests within the file. Attackers can trigger CVE-2016-3715 to delete files using ImageMagick's
ephemeral pseudo-protocol, CVE-2016-3716 to move image files to another arbitrary file via the
msl pseudo-protocol, and read the content of the files from the server (CVE-2016-3717) using ImageMagick's
"ImageMagick tries to guess the type of the file by its content, so exploitation doesn't depend on the file extension," the advisory said. "You can rename exploit.mvg to exploit.jpg or exploit.png to bypass file type checks."
Keep an eye on this space
"Image type confusion bugs have hit other image processors before, so we can expect that other criminal kits will have their own exploits soon," Beardsley said. Administrators should deploy the suggested mitigations, especially since exploits are already available.
Sign up for CIO Asia eNewsletters.