{"id":8907,"date":"2016-05-04T16:26:02","date_gmt":"2016-05-04T20:26:02","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=8907"},"modified":"2016-05-04T16:26:02","modified_gmt":"2016-05-04T20:26:02","slug":"huge-number-of-sites-imperiled-by-critical-image-processing-vulnerability-updated","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2016\/05\/04\/huge-number-of-sites-imperiled-by-critical-image-processing-vulnerability-updated\/","title":{"rendered":"Huge number of sites imperiled by critical image-processing vulnerability [Updated]"},"content":{"rendered":"

By Dan Goodin<\/a> | Ars Technica<\/a><\/p>\n

Attack code exploiting critical ImageMagick vulnerability expected within hours.<\/h2>\n

A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.<\/p>\n

The vulnerability resides in ImageMagick<\/a>, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.<\/p>\n

According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker’s choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.<\/p>\n

“The exploit is trivial, so we expect it to be available within hours of this post,” Huber wrote in a blog post published Tuesday<\/a>. He went on to say: “We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.”<\/p>\n

Update, May 4, 2016: 3:55:<\/b> Almost 24 hours after this post went live, researchers from website security firm Suciri published an independent analysis<\/a> that concurs with Huber’s assessment. It also sheds new light on how the exploit works. They said that recent versions of ImageMagick don’t properly filter the uploaded file names before passing them to the server processes such as HTTPS. The ommission allows attackers to execute commands of their choosing, leading to a full remote command capability.<\/p>\n

“The vulnerability is very simple to exploit,” Sucuri founder and CTO wrote in Wednesday’s post. “An attacker only needs an image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.”<\/p>\n

As Huber predicted, it didn’t take long for people to develop proof-of-concept exploits<\/a>. At least one of them is publicly available<\/a>.<\/p>\n

ImageMagick maintainers have also acknowledged the possibility of critical vulnerabilities allowing remote code execution<\/a>. They haven’t issued any patches, but they did suggest website administrators add several lines of code to configuration files to block at least some of the possible exploits. Huber has made the same recommendation and put the lines in this downloadable file<\/a>. He went a step further by advising sites that use ImageMagick to also verify that all uploaded image files begin with the expected \u201cmagic bytes\u201d corresponding to the image file types<\/a> before allowing the files to be processed. Admins should consider temporarily suspending image uploading in cases where these mitigations can’t immediately be put in place.<\/p>\n

The code-execution bug was discovered by security researcher Nikolay Ermishkin<\/a>, who is expected to release an advisory in the coming hours. Huber went public in an attempt to prevent malicious attacks after learning the vulnerability details were already being widely disseminated ahead of Ermishkin’s planned disclosure. The code-execution vulnerability came to light after it was used in recent bug bounty submissions.<\/p>\n

One attack scenario would involve a social media site, blogging service, or news site that accepts image uploads from untrusted end users. An attacker could upload a file ending with png, jpg, or another supported extension, even though the contents are in a different format. Once ImageMagick detects the mismatched format, it will attempt to transform the image into an intermediate format that in some cases results in an insecure decoding path. That condition, in turn, can lead to code execution on the server.<\/p>\n

Huber said that the mitigations he recommended are effective against all of the exploit samples he has seen, but he went on to say there’s no guarantee the measures will eliminate all types of attack. Until the full scope of the vulnerability is disclosed, people using ImageMagick should assume that the mitigations are incomplete. That means admins should monitor this vulnerability closely and be ready to put additional defenses in place. Another option is either to sanitize images before they’re processed by ImageMagick or disable all formats except the ones needed.<\/p>\n

The threat at least in part stems from ImageMagick supporting more than 200 different formats, including nroff (man pages) and postscript. In the longer term, admins should consider switching to GraphicMagick, an ImageMagick fork that supports a much smaller number of file types. Update:<\/b> About 40 minutes after this post went live, security researcher Dan Tentler said he has developed a working proof-of-concept exploit<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Dan Goodin | Ars Technica Attack code exploiting critical ImageMagick vulnerability expected within hours. A large number of websites […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,10],"tags":[341,520,521,654,752,825,867,919,1178],"class_list":["post-8907","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-exploit","tag-imagemagick","tag-images","tag-malicious-code","tag-nodejs","tag-php","tag-python","tag-ruby","tag-vulnerability"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-2jF","jetpack-related-posts":[{"id":8135,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/27\/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites-updated\/","url_meta":{"origin":8907,"position":0},"title":"Just-released WordPress 0day makes it easy to hijack millions of websites [Updated]","author":"NCCT","date":"April 27, 2015","format":false,"excerpt":"Our blog was not affected...NCCT Update: About two hours after this post went live, WordPress released a critical security update that fixes the 0day vulnerability described below. The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OCqQZJZ1Ie4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":5659,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/02\/flaws-in-popular-seo-plug-in-put-wordpress-websites-at-risk\/","url_meta":{"origin":8907,"position":1},"title":"Flaws in popular SEO plug-in put WordPress websites at risk","author":"NCCT","date":"June 2, 2014","format":false,"excerpt":"Many WordPress websites could be at risk of compromise if their administrators don\u2019t upgrade a popular search engine optimization (SEO) plug-in to a newly released version that fixes serious vulnerabilities. Researchers from Web security firm Sucuri found two flaws in a plug-in called \u201cAll in One SEO Pack\u201d that potentially\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/core5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/core5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/core5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":7570,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/05\/malicious-advertisements-on-major-sites-compromised-many-many-pcs\/","url_meta":{"origin":8907,"position":2},"title":"Malicious advertisements on major sites compromised many, many PCs","author":"NCCT","date":"February 5, 2015","format":false,"excerpt":"Attackers who have slipped malicious advertisements onto major websites over the last month have potentially compromised large numbers of computers. Several security vendors have documented attacks involving malicious advertisements, which automatically redirect victims to other websites or pages that silently attack their computer and install malware. \u201cWe certainly see malvertising\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6733,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/30\/drupal-users-assume-your-site-was-hacked-if-you-didnt-apply-oct-15-patch-immediately\/","url_meta":{"origin":8907,"position":3},"title":"Drupal users: Assume your site was hacked if you didn’t apply Oct. 15 patch immediately","author":"NCCT","date":"October 30, 2014","format":false,"excerpt":"Users of Drupal, one of the most popular content management systems, should consider their sites compromised if they didn\u2019t immediately apply a security patch released on Oct. 15. The unusually alarming statement was part of a \u201cpublic service announcement\u201d issued by the Drupal project\u2019s security team Wednesday. \u201cAutomated attacks began\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8690,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/10\/22\/researcher-shows-how-it-could-take-hackers-just-10-seconds-to-wirelessly-upload-malware-to-a-fitbit\/","url_meta":{"origin":8907,"position":4},"title":"Researcher shows how it could take hackers just 10 seconds to wirelessly upload malware to a FitBit","author":"NCCT","date":"October 22, 2015","format":false,"excerpt":"By Rob Thubron In recent times, hackers have been discovering ways to exploit wireless systems in a number of devices, from vehicle infotainment centers to self-aiming sniper rifles. It now seems another gadget may be added to this list, as Fortinet researcher Axelle Apvrille has revealed that fitness-tracking wristband FitBit,\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/qa8qVAPPlTE\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":6209,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/12\/classic-facebook-color-changer-scam-makes-another-comeback\/","url_meta":{"origin":8907,"position":5},"title":"Classic Facebook “Color Changer” scam makes another comeback","author":"NCCT","date":"August 12, 2014","format":false,"excerpt":"On Facebook, some scams are so alluring that they seem to live forever. So it goes with \u201cFacebook Color Changer,\u201d a new malware attack that masquerades as a way to change the appearance of Facebook\u2019s Website. Security firm Cheetah Mobile claims that the latest scam has affected more than 10,000\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=8907"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8907\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=8907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=8907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=8907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}