ImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images.
The ImageMagick tool is supported by many programming languages, including Perl, C++, PHP, Python, Ruby and is being deployed by Millions of websites, blogs, social media platforms, and popular content management systems (CMS) such as WordPress and Drupal.
Slack security engineer Ryan Huber disclosed a zero-day flaw (CVE-2016–3714) in the ImageMagick image processing library that allows a hacker to execute malicious code on a Web server by uploading maliciously-crafted image.
For example, by uploading a booby-trapped selfie to a web service that uses ImageMagick, an attacker can execute malicious code on the website's server and steal critical information, snoop on user's accounts and much more.
In other words, only those websites are vulnerable that make use of ImageMagick and allow their users to upload images.
The exploit for the vulnerability has been released and named: ImageTragick.
"The exploit for this vulnerability is being used in the wild," Huber wrote in a blog post published Tuesday. "The exploit is trivial, so we expect it to be available within hours of this post."
He added "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."The ImageMagick team has also acknowledged the flaw, saying the recent "vulnerability reports … include possible Remote Code Execution and ability to render files on the local system."
Though the team has not rolled out any security patches, it recommended that website administrators should add several lines of code to configuration files in order to block attacks, at least via the possible exploits.
Web administrators are also recommended to check the 'magic bytes' in files sent to ImageMagick before allowing the image files to be processed on their end.
Magic bytes are the first few bytes of a file used to identify the image type, such as GIF, JPEG, PNG.
The vulnerability will be patched in versions 7.0.1-1 and 6.9.3-10 of ImageMagick, which are due to be released by the weekend.