14 DAY TRIAL // Attackers are actively using the recently discovered ImageTragick vulnerability in the ImageMagick image processing library to compromise live websites, CloudFlare and Sucuri have reported over the weekend.
ImageTragick is a serious security flaw discovered by two Russian security researchers last week. The vulnerability lies in the way the ImageMagick library handles image uploads.
An attacker can use a malicious crafted image file to break out of the image processing operations and execute code on the underlying OS, which can grant him complete control over the Web server.
Ever since the ImageTragick vulnerability was disclosed, and researchers started flooding Twitter with tweet-sized exploitation code, the ImageMagick team has released several updates to fix the problem, but the issue is not yet completely and officially patched.
Let's not forget ImageTragick is a zero-day, meaning it's actively exploited
When the two security researchers disclosed the ImageTragick zero-day, they said they've seen exploits using the vulnerability (CVE-2016–3714) in live attacks, and that was the reason why they revealed the bug in the first place, even if a fix was yet not available.
The ImageMagick team has provided some basic mitigation tips to prevent such attacks, and so has the WordPress team. Nevertheless, CloudFlare and Sucuri say they've seen attackers using various ImageTragic exploits against the sites they're securing via their WAF (Web Application Firewall) products.
Both companies said that crooks start by scanning websites for vulnerable URLs, such /upload.php and /imgupload.php. If they find such URLs open to the Internet, without asking users to authenticate before uploading content, the attacker attempts to upload a malicious JPG file.
"Instead of a JPG image (as expected from the file type), the attacker had modified the image content, changing the file content to MVG," Sucuri's Daniel Cid reported. "If you recall, the RCE vulnerability was specific to the way it parsed MVG files, which allows a remote attacker to break out of the image manipulation flow and execute their own shell commands."
Attacks observed against popular forum platforms
Over the weekend, Mr. Cid has tweeted about seeing multiple ImageTragick exploitation attempts against websites running on the vBulletin and IP.Board forum platforms.
Nonetheless, he says that these exploitation attempts are not blanket attacks against a large number of sites at once, but individual attacks carried out one website at a time.
Many websites either don't use ImageMagick as their image processing system or protect image upload URLs behind user login systems.
There's no specific pattern that attackers can exploit, so automated attacks are currently out of the question.
"At the current time we do not know of a website that has been successfully hacked using ImageTragick, but it is clear that hackers are actively trying this vulnerability as it is fresh and many servers are likely to not have been patched yet," John Graham-Cumming noted for CloudFalre.
If you're a webmaster or a system admin for any company, this advice from Mr. Cid regarding ImageTragick is probably the best one to follow.
UPDATE: Because the Sucuri blog post was from over the weekend, and since attacks tend to evolve pretty fast, Softpedia has followed up with Daniel Cid from Sucuir about these attacks.
On the issue of exploits against vBulletin and IP.Board sites, Mr. Cid said "Those were the two that we saw multiple sites targeted. A few of our clients using custom web apps, were attacked, but isolated attempts."
Moreover, it appears that crooks have now managed to craft some automated systems for finding and exploiting the vulnerability: "For vBulletin and IP.Board, we saw quite a few sites attacked the same way, from same IP ranges (generally implying a Internet wide scan for them)," Mr. Cid said.
Starting to see quite a few ImageMagick #ImageTragick attempts against "/profile.php?do=updateavatar" on vBulletin sites. — Daniel Cid (@danielcid) May 8, 2016
In addtiion to vBulletin, seeing a few #ImageTragick attempts against "app=members&module=profile§ion=photo&do=save" on IP.Board — Daniel Cid (@danielcid) May 9, 2016
Kudos to the @sucurilabs team for identifying and disclosing the #ImageTragick issue to @bamboohr, great response and resolution @danielcid — Tony Perez (@perezbox) May 4, 2016