- May 18, 2016
- What's Behind
What is ImageMagick?
ImageMagick is a free and open-source image processing software suite. It is mostly utilized as a command-line tool to create, edit, compose, or convert images but it is also available through interfaces written in well-known programming languages, e.g. Perl, PHP, Python, Ruby, etc. ImageMagick is not like any known image processing software with graphical user interface where users edit images individually and interactively e.g. GIMP, Adobe Photoshop. ImageMagick is typically used for bulk image processing and/or repetitive image operations and runs in the background of a large number of websites, blogs, social media networks and content management systems.
ImageMagick is vulnerable to a remote code execution (RCE) vulnerability that allows attackers to execute malicious code on a Web server upon uploading a weaponized file disguised as an image file. The vulnerability is very easy to exploit and thus some security researchers dubbed it "ImageTragick".
ImageMagick allows the processing of files using external libraries called "delegate libraries". For example it has the ability to handle HTTPS requests using the command-line tool "curl". The issue is that the user input is not sanitized and shell command injection is possible. In ImageMagick the following sample command runs "curl" to serve the HTTPS request but also tricks ImageMagick into executing the UNIX command "ls -la":
convert 'https://website.com"|ls "-la' output.png
When a user uploads a file, ImageMagick processes it using a similar command to the following:
convert exploit.jpg output.png
The ImageMagick vulnerability comes in the following variations.
ImageMagick supports ".svg/.mvg" files which means that attackers can craft code in a scripting language, e.g. MSL (Magick Scripting Language) and MVG (Magick Vector Graphics), upload it to a server disguised as an image file and force the software to run malicious commands on the server side as described above. For example adding the following commands in a file and uploading it to a webserver that uses a vulnerable ImageMagick version will result in running the command "ls -la" on the server.
viewbox 0 0 640 480
fill 'url(https://website.com/image.png"|ls "-la)'
It is possible to delete files on the server side by taking advantage of ImageMagick's "ephemeral" protocol. The following sample MVG code saved in a ".jpg" file demonstrates how the file named "document.txt" can be deleted when processed by ImageMagick:
viewbox 0 0 640 480
image over 0,0 0,0 'ephemeral:/home/user/document.txt'
It is possible to copy files by using ImageMagick's "msl" protocol. Two files are required to be present on the server; the file to be copied and an xml file to be processed by the uploaded file. The "msl.xml" file consists of instructions with the location of the file to be copied and the destination location of the copied file. The following example MVG code saved in a ".jpg" file shows how the file copy can be performed:
viewbox 0 0 640 480
image over 0,0 0,0 'msl:/home/user/msl.xml'
A sample content of the msl.xml file is the following:
<?xml version="1.0" encoding="UTF-8"?>
<read filename="/home/user/image.jpg" /># File to be copied
<write filename="/home/user/folder/new.jpg" /># Destination location
It is possible to capture the content of text files residing on a server by using ImageMagick's "label" protocol. The following code when parsed by ImageMagick will result in a new image file depicting the content of the specified text file:
viewbox 0 0 640 480
image over 0,0 0,0 'label:@/home/user/new.txt'
It is possible to perform HTTP or FTP requests forcing a server to connect to a malicious domain:
viewbox 0 0 640 480
What can be done about it?
Upon receiving notice of this vulnerability, administrators and website owners are hereby urged to take action as soon as possible on whether their websites are vulnerable to "ImageTragick", and plan the urgent installation of the patch. They can use a publicly available Proof of Concept (PoC) sample code for testing purposes.
Another way is to check the version of the ImageMagick installed on their server by running the command:
Any version below 7.0.1-2 or 6.9.4-0 is potentially vulnerable and affected parties should as soon as possible upgrade to the latest ImageMagick version.
Administrators and website owners must immediately implement the following mitigating step, proposed by the ImageMagick team together with the researchers that published "ImageTragick": edit ImageMagick's global policy file ("policy.xml" found in "/etc/ImageMagick") in order to disable the vulnerable ImageMagick coders:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
An additional measure to mitigate this risk is to check the signatures of the files that users upload on a webserver before sending them for processing to ImageMagick. For example a file might have the ".png" extension but in reality be a disguised ".mvg" file with malicious commands embedded. A genuine ".png" file should have the file signature "89 50 4E 47 0D 0A 1A 0A" in HEX.
Figure 1: File signature of a ".png" image in HEX ("ImageTragick" image source)
Since ImageMagick is a tool that was fundamentally designed with legitimate inputs in mind which by itself is problematic, another mitigation measure to consider is sandboxing, especially when untrusted inputs are allowed. Alternatively using a different image processing library like GD instead of ImageMagick is also another option to consider. GD supports much fewer image file types and does not support scripting languages, thus attack vectors are reduced.
Finally administrators and security professionals should also take a step back and review the bigger picture. Following basic and best security practices is essential for protecting against a wide range of vulnerabilities before attackers exploit them. Customising software installed on their own needs by disabling unwanted features can reduce the attack surface, further verifying uploaded files before processing arbitrary and untrusted input can limit potential impact from malicious uploads, limiting upload permissions and applying strict file access policies can reduce attack vectors etc. These processes are software independent and can help reducing the risk of being affected by a trivial exploit as ImageTragick.
Although the ImageMagick vulnerability is trivial to exploit and has been actively exploited by attackers, it still has not been widely spread as originally expected. This by no means does it undermine its severity but it indicates that severity is not proportional to impact at all times. Having said that, administrators and website owners must still upgrade to the latest ImageMagick version the soonest possible and monitor its upcoming releases since new vulnerabilities are already spotted.
About "What's Behind" from ENISA
With the "What's Behind" series ENISA aims at giving the interested reader some in-depth background about NIS related topics. The background is derived from past experiences and common sense; in no way should "What's Behind" be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information on the "What's Behind" series (firstname.lastname@example.org).