ImageMagick is a famous library open to process images, which supports many language (Perl, C++, PHP, Python, Ruby) and is used in millions of websites, including blogs, forums and CMS like Drupal or WordPress code.
Nikolay Ermishkin of Mail.Ru security team recently discovered multiple vulnerabilities (CVE-2016-3714 CVE-2016-3717) and notified developers that ImageMagick 6.9.3-9 tried to correct it in the version published on April 30 .
The exploit for this vulnerability is being used publicly vulnerabilities are:
CVE-2016-3718 – SSRF – It is possible to GET HTTP or FTP requests.
CVE-2016-3715 – Delete files
CVE-2016-3716 – Move files
CVE-2016-3717 – Read local files. Reported by the original author of bug https://hackerone.com/stewie
An attacker create an exploit file and assign it an image extension, such as .png, in order to bypass the targeted site’s file type checks. They can upload the malformed images in an webserver that use ImageMagick processing libraries . Once magicbytes detect that it is not an actual .png, ImageMagick converts the file and the malicious code is executed in the process, allowing the attacker to gain access to the targeted server.
Yahoo has awarded California-based researcher Behrouz Sadeghipour $2000 for discovery of ImageMagick vulnerability resides on Polyvore, a community-powered social commerce website acquired by the yahoo last year. Yahoo was notified on May 4 and patched the vulnerability within three hours.
Proof of concept:
How to mitigate the vulnerability
Patches that completely address the flaws are not yet available.It is recommend to do these two things to mitigate these vulnerabilities :
1.Verify that magic bytes corresponding to the image file is as expected before sending them to magic trick for processing.
2.Add the following code to the ImageMagick policy.xml file to disable the vulnerable Imagemagick coders.