Vulnerability Alert: ImageMagick Remote Code Execution Vulnerability (CVE-2016-3714)

06/05/2016 16:50:19


Summary

On Tuesday, May 3 2016, ImageMagick announced a zero-day vulnerability (CVE-2016-3714) in the ImageMagick software. The attacker can exploit the vulnerability to execute arbitrary code remotely, intercept important information and take over the servers eventually.

What is ImageMagick?

ImageMagick is a powerful, robust and open-source software(similar to gd), and can read and write almost any type of image files. ImageMagick pictures can even processed by some web services to achieve slim, sharpen and rotate effects.

In many cases, as long as users use this type of images, such as uploading profile photos, capturing image remotely, editing image online, compressing image, etc., the possibility may exist on those websites, micro blog websites, social media websites, CMS system(WordPress, Drupal) that allow uploading image or cropping images in batch. 

Impacts

The ImageMagick remote code execution vulnerability affects Wordpress website, Discuz forum, or even websites that use ImageMagic module to process images, such as uploading profile photos or certificate images, or cropping images in batch.

The Detail & Detection of this vulnerability: ImageMagick Remote Code Execution Vulnerability (CVE-2016-3714)

Analysis

If a user has uploaded an image with malicious code, this vulnerability allows the attacker to execute arbitrary code or instructions to manipulate the server when user is processing that image.

As ImageMagick supports many computer languages(PHP, Ruby, NodeJS, Python, etc), it is widely used, and is what many image process plugins(PHP imagick, Ruby rmagick, paperclip, NodeJS imagemagick, PHP imagick, Ruby rmagick, paperclip, NodeJS imagemagick) rely on. The impacts may reach as far to Content Management System(CMS). 

The corresponding EXP (named ImageTragick) was also released following the announcement of the vulnerability, and has been spreading through emails and forums.

Exploit of this vulnerability is very easy. The attacker simply needs to upload a malicious image to the target Web server to execute arbitrary code, steal crucial information and user account. 

Solution

1) Change the configuration file to disable ImageMagick, by adding the following code to the file /etc/ImageMagick/policy.xml




2) Users of NGAF please update IPS rules to defense attacks of this Vulnerability.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2017 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.