Image (Magick|Tragick)

On the 3th of May the internet was introduced to a new vulnerability CVE-2016–3714 better known as ImageTragick that has a big impact on websites and servers.

Written by srondelez Posted on May 11th 2016

ImageMagick is a package that developers can call in their code to process files. It is implemented as a system call that accepts a command string that is parsed with the config file of ImageMagick. Due to insufficient checks on those commands that are transferred to ImageMagick.

Next up we will try to explain what the vulnerability was about, how we fixed it and what you can do about it.

What was the vulnerability?

It was possible to retrieve system information from that server by injecting shell commands into the requests. One of the default delegate’s command in ImageMagick is used to handle https requests:

“wget” -q -O “%o” “https:%M”

where %M is the actual link from the input. It is possible to pass the value like

`https://example.com”;|ls “-la`

and execute unexpected ‘ls -la’. (wget or curl should be installed)

$ convert ‘https://example.com”;|ls “-la’ out.png
total 32
drwxr-xr-x 6 user group 204 Apr 29 23:08 .
drwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..

What did skyscrapers do about this?

On the 4th of May we received the information about this vulnerability we went ahead and proactively locked down ImageMagick by disabling the following commands:

<policymap>
<policy domain=”coder” rights=”none” pattern=”EPHEMERAL” />
<policy domain=”coder” rights=”none” pattern=”URL” />
<policy domain=”coder” rights=”none” pattern=”HTTPS” />
<policy domain=”coder” rights=”none” pattern=”MVG” />
<policy domain=”coder” rights=”none” pattern=”MSL” />
<policy domain=”coder” rights=”none” pattern=”TEXT” />
<policy domain=”coder” rights=”none” pattern=”SHOW” />
<policy domain=”coder” rights=”none” pattern=”WIN” />
<policy domain=”coder” rights=”none” pattern=”PLT” />
</policymap>

As things are progressing we are making sure that we are up to date with any updates on those leaks and we are making config changes to patch our servers.
By noon all our affected servers were patched and our affected customers were updated about the leak and what we did to patch it.
We are also making sure that we are running on the latest version of the package and we will install the new package as soon as it is available.

What can you do about it?

In the code you can check that uploaded images begin with the expected magic bytes that an image should have. Magic bytes are the first few bytes of a file that identifies the type of file. For example a JPEG file starts with “FF D8”. This list on Wikipedia has the magic bytes for most common file types.

Any questions?

For more information you can see access.redhat.com/security/vulnerabilities/2296071, imagetragick.com or contact the skyscrapers team.