Vulnerabilities disclosed on Tuesday affecting ImageMagick, a widely used open source software suite for image manipulation, pertain to a wide variety of users due to the sheer number of projects that rely on the ImageMagick library. Most notably, phpBB, vBulletin, MediaWiki, and Joomla use ImageMagick by default, while other software such as WordPress and Drupal can utilize the library as a plug-in, or may be enabled by default on a third-party installation script or VM deployment image.
The collection of vulnerabilities is collectively named “ImageTragick,” which is itself a new low in the recent plague of unnecessarily named security vulnerabilities.
SEE: Guidelines for building security policies (Tech Pro Research)
The primary vulnerability, designed as CVE-2016-3714, creates the potential for remote code execution, as ImageMagick fails to properly sanitize special characters from user input. In cases where a file is passed to ImageMagick—such as a PDF, Microsoft Office, or OpenDocument file—the file is handed to an external library with appropriate command line options for processing, called “delegates” in ImageMagick. According to the description by Karim Valiev on Openwall:
It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate's command is used to handle https requests: "wget" -q -O "%o" "https:%M" where %M is the actual link from the input. It is possible to pass the value like `https://example.com"|ls "-la` and execute unexpected 'ls -la'. (wget or curl should be installed) $ convert 'https://example.com"|ls "-la' out.png total 32 drwxr-xr-x 6 user group 204 Apr 29 23:08 . drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 .. ...
Additionally, according to Valiev, the support of vector image scripting formats such as SVG or MVG, which permit including external files of any supported type—including those handled by delegates—allow for this vulnerability to be exploited by using specifically crafted image files with malicious instructions. File type checks can be bypassed by renaming an SVG or MVG file to JPG or PNG, as ImageMagick identifies files by content, not extension. As such, disallowing certain file types in an upload form would not protect against this vulnerability.
Other ImageMagick vulnerabilities in this disclosure include bugs which allow end users to initiate arbitrary HTTP or FTP transactions, delete or move files on the server, and read arbitrary files on the server. A patch is expected the weekend of May 7, 2016 for both the 6.x and 7.x versions of ImageMagick, though current deployments can mitigate risk by ensuring that file extensions correctly correspond to their magic bytes, and that the vulnerable delegates are disabled.
A commentary on naming security vulnerabilities
In the wake of the OpenSSL exploit ” HeartBleed” from April 2014, the security research industry has had the unfortunate tendency of giving increasingly facile names to vulnerabilities such as “FREAK attack” or “POODLE,” complete with dedicated domain names—some of which use new gTLDs, like backronym.fail. With ImageTragick, this has escalated into a dedicated Twitter account, which at the time of writing has one tweet and 97 followers, and a GitHub account, with no public repositories presently, though it will evidently be used to later publish proof of concept code.
Last month, the “Badlock” vulnerability affecting Samba was disclosed after a publicity campaign by the German security consulting firm SerNet. According to ZDNet’s Zach Whittaker, various people in information security circles criticized the firm “of trying to profit from what was effectively fixing their own code,” as the vulnerability was found by Stefan Metzmacher, who is both a SerNet employee and Samba contributor.
Over-publicizing security vulnerabilities—particularly ones such as this, which do not directly affect end-users of websites which use ImageMagick—is likely counterproductive, and bears more than a superficial resemblance to the unwanted encroachment of reality TV gimmicks.
This tendency invaded meteorology, as The Weather Channel began naming winter storms in 2013, a move which garnered a resounding condemnation in news circles, and a tepid reception in meteorological communities, despite the unironic listing of “Winter Storm YOLO.” The use of reality TV gimmicks was the subject of a carrier dispute with DirectTV in 2014, which lasted three months, the satellite broadcaster said in a statement to CNET: “Most consumers don’t want to watch a weather information channel with a forecast of a 40 percent chance of reality TV.”
What’s your view?
Do you use software that utilizes the ImageMagick library? Do you have concerns about the increasingly frequent branding of security vulnerabilities? Share your thoughts in the comments.