Critical Flaws in ImageMagick (From today's SANS Newsbytes)

Started by tfs, May 06, 2016, 03:48:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

tfs

May 06, 2016, 03:48:14 PM
I Noticed this in today's SANS Newsbytes and thought it might be pertinent to forum members.

I have a couple of sites hosted at 1and1. Is this something I need to be concerned about? If so, does someone need to be logged in to cause trouble? One site has Aeva Media... does that change anything?

https://www.sans.org/newsletters/newsbites/xviii/36#201

--Critical Flaws in ImageMagick
(May 4, 2016)

Critical vulnerabilities in the widely used ImageMagick image-processing
library could be exploited to execute code hidden in malicious images.
A proof-of-concept exploit has been released, but there are currently
no patches available. ImageMagick developers have recommended using a
policy-based mitigation until a fix is released.

http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/

http://www.zdnet.com/article/imagemagick-vulnerability-exposes-countless-websites-to-exploit/

http://www.computerworld.com/article/3065854/security/critical-flaws-in-imagemagick-library-expose-websites-to-hacking.html

ImageMagick Policy Mitigation Information:
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

[Editor's Note (Liston): These vulnerabilities allow four different
types of remote exploitation: code execution, file deletion, file
moving, and file content disclosure.  Looking at the code, ImageMagick
is really just a set of command-line tools and the various "libraries"
are, essentially, wrappers for running the command-line stuff. Expect
that there will be many more vulnerabilities discovered in ImageMagick
now that it has garnered so much attention.

(Williams): The challenge with this vulnerability will be locating all
of the impacted applications.  ImageMagik is usually installed on the
system as part of another application to provide library support rather
than as a standalone application.  System owners, particularly those
with Internet facing web applications, should contact their vendors and
ask if they are vulnerable.  If so, schedules for patch release and any
mitigation steps should be discussed.

(Ullrich): If your web sites processes images, you are likely
vulnerable. This is a "must patch" vulnerability. Luckily, there is a
workaround that you can apply by adjusting configuration files for
ImageMagick.]
A good tree cannot bring forth evil fruit, neither can an evil tree bring forth good fruit.

qc

#1
May 06, 2016, 06:27:16 PM
It seems Image Magic is used only by SMF 2.1 if it is available on the server, which thus might be vulnerable. I could not find any references to Image Magic in SMF 2.0.x and thus assume that it is not affected.

If you want to know whether or not Image Magic is available as a PHP extension, execute the following PHP code on your server:
Code Select
if (extension_loaded('imagick')) echo "Image Magic is loaded";
else echo "Image Magic is not loaded";

If Image Magic is available, it doesn't mean you are vulnerable. I assume that calls to Image Magic methods have to be made from within the web application for your server to become vulnerable (e.g. by SMF 2.1).
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

Arantor

#2
May 07, 2016, 05:58:14 AM
Aeva Media uses ImageMagick however I believe it already sanitises that the image is a standard type before passing over to IM to do any work since only specific types are vulnerable.

I imagine much the same is true for SMF 2.1.

Note that there are other ways to call ImageMagick that do not rely on the hard-to-configure Imagick extension, eg direct shell calls. I don't know of anything SMF related that does shell calls for that though.
Print
Go Up Pages1
User actions
Advertisement: