A security vulnerability in the open source ImageMagick graphics tool used by a large number of websites could allow a malicious payload to be executed onsite.
ImageMagick, an open source suite of tools for working with graphic images used by a large number of websites, has been found to contain a serious security vulnerability that puts sites using the software at risk for malicious code to be executed onsite. Security experts consider exploitation to be so easy they’re calling it “trivial,” and exploits are already circulating in the wild. The biggest risk is to sites that allows users to upload their own image files.
Information about the vulnerability was made public Tuesday afternoon by Ryan Huber, a developer and security researcher, who wrote that he had little choice but to post about the exploit.
“We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them,” he wrote. “An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.”
He goes on to say that the bug wasn’t discovered by him. According to Ars Technica, the bug was originally discovered by Nikolay Ermishkin. another security researcher.
To take advantage of the exploit, an attacker would upload a file with an extension such as .gif, .jpg or any of the other 200 extensions that are supported by the software, with the file actually being in another format. ImageMagick’s response to the the wrong file extension will be to turn the file into an intermediate format, which can result in code execution on the targeted website’s server.
Although no patches for the vulnerability have yet been issued, and probably won’t until the depth of the vulnerability is better understood, Huber has included two short term and possibly incomplete solutions that websites using ImageMagick can employ to reduce their vulnerability. The first of these would have websites verify that uploaded image files’ actual formats matches their extensions by looking for what are known as “magic bytes,” the first few bytes of a file that can be used to identify the file type.
Such steps as supplying these temporary fixes, or even supplying the security patch that will eventually be issued by ImageMagick’s developers, however, require website operators to realize that they’re running the vulnerable code, which might not always be the case. Because ImageMagick is licensed under the “permissive” Apache 2.0 license, it would be possible for ImageMagick’s code to be running as part of a proprietary application without website operators’ knowledge.