ImageTragick - The Tragick continues
Abstract
We keep talking about the fact that ASM is an effective tool for protecting the 0-day attacks. Two years ago we were able to detect the shellshock exploitations attempts by detecting the carried commands that the shellshock was used to execute. More details are here: Mitigating the Unknown.
ImageMagick
ImageMagick, a very popular image editing library, has a new vulnerability which allows a code execution abusing an incorrectly parsed file format. We already wrote about ImageMagick in June because there were multiple CVEs about mishandling the MVG and SVG file formats, allowing abuse of ImageMagick based software to create and delete files, move them, and run commands, only by abusing incomplete input validation in ImageMagick’s file format. Sometime after the original CVEs another CVE showed up, allowing another attacker to execute an arbitrary shell command using the pipe character (“|”) at the start of the processed filename.
CVE-2016-5118
CVE ID for the new vulnerability is CVE-2016-5118 and just like the earlier CVE-2016-3714, it may allow the attacker to remotely smuggle and run shell commands on the server.
Luckily for us, ASM is great with mitigating the 0-day shell and code execution vectors and, therefore, nothing had to be reconfigured to keep our server safe from this attack.
In this particular example, ASM has detected using 3 ASM signatures:
echo
sig_id 200003045,cat
sig_id 200003065/usr
sig_id 200003060Conclusion
I believe that we have not seen the last CVE for the ImageMagick based software but ASM should be able to detect and block the exploitation attempts for the vulnerabilities that were already discovered and those which are yet to come.
We will continue to follow the issue and update the signatures when needed.