Attackers keep flinging assorted ImageMagick 0day exploits

It’s been a week since the existence of several flaws affecting popular image processing library ImageMagick have been made public. At the time, one of these, a remote code execution vulnerability (CVE-2016–3714) that is easy to trigger was already exploited in attacks in the wild.

The bug has been patched in ImageMagick versions 7.0.1-2 and 6.9.4-0 that were pushed out on Friday, but according to Sucuri Security and CloudFlare, attackers still hope not all web admins have yet implemented the updates.

Sucuri researchers have spotted an exploit attempt that includes a bot first scanning for file upload URLs (the flaw can be exploited via booby-trapped image files uploaded to a site), and then uploading a JPG file. The file was actually a Magick Vector Graphics (MVG) file in disguise.

“If you recall, the RCE vulnerability was specific to the way it parsed MVG files, which allows a remote attacker to break out of the image manipulation flow and execute their own shell commands,” they explained.

In this particular attack, the attackers’ aim was to creates a reverse shell to an IP registered on Linode, likely being used as a C&C for the servers they have managed to compromise.

CloudFlare has implemented a Web Application Firewall (WAF) rule soon after the public revelation of the flaw in order to protect their clients until they upgrade their ImageMagick installation.

This also allowed them to spot failed exploitation attempts aimed at their customers.

Several payloads were detected. Some meant only to probe whether the exploit worked, others to download files on the website’s server (likely as a prelude to a larger attack), others still to compromise the server outright.

“At the current time we do not know of a website that has been successfully hacked using ImageTragick [as the vulnerabilities have been collectively dubbed], but it is clear that hackers are actively trying this vulnerability as it is fresh and many servers are likely to not have been patched yet,” says Cloudflare’s John Graham-Cumming.

Sucuri’s Daniel Cid says that while ImageMagick attacks can be deadly, they are unlikely to be performed against a huge number of targets.

“With ImageTragick, to effectively apply the vulnerability an attacker requires file upload permissions. These are generally restricted to subscribers and administrators, which by design negatively impacts the ability to perform a mass exploit across the web,” he pointed out.

“Additionally, there aren’t that many open-source and public Content Management Systems (CMS) that use ImageMagick by default, which drastically reduces the potential attack surface – something required to see mass attacks,” he noted, and concluded that despite being serious, ImageTragick has not been as tragic as originally forecasted – at least not yet.