Bobcares

How to block exploits via ImageMagick/GraphicsMagick popen() shell vulnerability in web hosting servers

by | May 30, 2016

On 29th May, we were alerted to a new ImageMagick vulnerability(NOT ImageTragick which we covered earlier) that allows arbitrary code execution on web hosting servers running Apache, Nginx or others as long as ImageMagick binary “convert” is accessible to web servers. We confirmed this vulnerability in several Linux web hosting servers including cPanel, Plesk and DirectAdmin.

What is ImageMagick popen() shell vulnerability?

Arbitrary shell code can be passed to ImageMagick program as part of a file name using pipe ( | ) as the first character.

For eg., the “convert” command usually works like this:

user1@sev [~/public_html]$ convert image.jpg image.png

Instead, as the following section shows, the shell code “rm” will be executed is “|” is given as the first character:

user1@sev [~/public_html] $ ls
-rw-rw-r-- 1 user1 user1 5 May 30 10:20 test.html
user1@sev [~/public_html] $ /usr/local/cpanel/3rdparty/bin/convert '| rm -f test.html;' null:
user1@sev [~/public_html] $ ls
user1@sev [~/public_html] $

This vulnerability can be exploited through SVG or MVG file formats as shown here:

<image x="200" y="200" width="100px" height="100px"
xlink:href="|echo Hello > hello.txt; cat /usr/lib/firefox/browser/icons/mozicon128.png">

image copy 200,200 100,100 "|echo Hello > hello.txt; cat /usr/lib/firefox/browser/icons/mozicon128.png"

Source : oss-security@lists.openwall.com

What are the solutions available?

Till now, there’s no official announcement from ImageMagick on how this vulnerability can be patched. Various vendors have acknowledged this vulnerability using CVE ID CVE-2016-5118. As of now, no one has released patches yet.

For now, the best course of action is to limit which all users (or applications) can access ImageMagick, and limit the permissions of those users to execute shell commands.

How we block exploits that use popen () vulnerability

Emergency reaction to security threats (aka Zero-day threat mitigation) like this are a part of our Preventive Server Management Services and Support Engineers. Our engineering teams are right now securing our client servers on a case-to-case basis depending on ImageMagick dependencies and server configuration.

This vulnerability is mitigated in the following 3 ways:

  1. Patching the ImageMagick program to disable the HAVE_POPEN function in “blob.c” file.
  2. Restricting the permissions of web servers (Apache, Nginx, etc.) in executing shell commands.
  3. Using custom rule sets in Web Application Firewalls (like ModSecurity or NAXSI) to block shell command execution.

1. Patching ImageMagick

This solution is not officially supported, but our server engineering team is testing this solution in our labs, and applying the patch on a case by case basis on individual websites that use ImageMagick quite heavily.

2. Restricting web server permissions

The shell commands that can be accessed by web server can be restricted using Apache/PHP/Nginx/Linux configuration files. These restrictions are now being reviewed, and specific rules are added for new servers.

3. Blocking command execution using Web Application Firewalls

We’ve secured a lot of our client’s servers using Web Application Firewalls like ModSecurity and NAXSI. These firewalls sit between the internet and the web server giving a layer of security based on configurable rule set.

We’re now writing custom rules to prevent upload of rigged images, or execution of shell commands via CGI scripts.

More on this later

This is a security situation that’s still evolving. We’ll keep updating this post with new details on the vulnerability, and more details on how this can be fixed.

Secure your servers at $99/sev

We audit your servers, check if ImageMagick vulnerability exists, and mitigate the vulnerability.

FIX MY SERVER!

 

2 Comments

  1. Bob Friesenhahn

    This issue is not applicable to GraphicsMagick, and never has been, to my knowledge. There is no such popen() in GraphicsMagick.

    Reply
    • Reeshma

      Bob,

      This is a CVE recognized vulnerability. Please refer http://www.graphicsmagick.org/NEWS.html#may-30-2016 for the details 🙂

      ——-
      “A shell exploit (CVE-2016-5118) was discovered associated with a filename syntax where file names starting with ‘|’ are intepreted as shell commands executed via popen().”
      ———

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.