Exploits gone wild: Hackers target critical image-processing bug

Attackers have wasted no time targeting a critical vulnerability that could allow them to take complete control over websites running a widely used image-processing application, security researchers said.

As Ars reported last week, a vulnerability in ImageMagick allows hackers to execute code of their choice on webservers that use the app to resize or crop user-uploaded images. Over the past few days, security researchers said, attackers have begun uploading booby-trapped images in an attempt to exploit the vulnerability, which is indexed as CVE-2016-3714. CloudFlare, a content delivery network that helps secure and optimize websites, has updated its Web application firewall to block exploits in an attempt to protect customers who have yet to patch the remote code-execution threat.

"We began watching the exploitation of CVE-2016-3714 as soon as the WAF rule went live across our network," CloudFlare researcher John Graham-Cumming wrote in a blog post published Monday. "The bad news is that this vulnerability is being actively used by hackers to attack websites."

The most dangerous exploit he discussed is one that's disguised as a JPG image. In reality, it's not an image file at all and is instead malware designed to upload a malicious python file. Once the file is in place, the vulnerable Web server executes it, allowing the attacker to open a command shell. From then on, the attacker has the same control over the server that a normal administrator would have. A variant of this attack eliminates the need to download the python program and includes it in the payload itself.

"All these payloads are designed to give the hacker unfettered access to the vulnerable Web server," Graham-Cumming wrote. "With a single exploit they can get remote access and then proceed to further hack the vulnerable Web server at their leisure."

Researchers at website security firm Sucuri have also witnessed attackers attempting to install reverse shells on vulnerable servers. One of the exploits was beaconing back to an IP address registered to Linode, a virtual private server provider the attackers were likely using to host a command and control channel. The actual HTTP requests used in the attack came from a server with a Taiwanese IP address.

The vulnerability involves the way ImageMagick parses video files with the MVG extension. Attackers can disguise them as JPG files that contain malformed file paths that allow remote attackers to break out of the image manipulation flow and execute their own shell commands. Security researcher Ryan Huber has a more technically detailed explanation of the vulnerability here.

Both CloudFlare and Sucuri make mention of a patch, but so far there is no explicit notification of one on the ImageMagick website. Servers that use the app directly or indirectly should at a minimum update their site configurations to implement these policies.