ImageTragick Exploit Used in Attacks to Compromise Sites via ImageMagick 0-Day

Share this…

imageMagick project hopes to publish a patch today. Two Russian security researchers revealed a few hours ago a vulnerability in the ImageMagick image processing library deployed with countless Web servers, a zero-day which they say has been used in live attacks.

Nicknamed ImageTragick and identified via the CVE-2016–3714 vulnerability ID, the issue has a massive attack surface, since, alongside the GD library, ImageMagick is one of the most used image processing toolkits around.

Attackers can take over servers via ImageMagick

According to the two researchers, there are more than one vulnerabilities in ImageMagick, but the one they call ImageTragick has been used to compromise websites via malicious images uploaded on the server.

The zero-day, which they say it’s trivial to execute, is still unpatched, but the ImageMagick project has been notified today.

Usually such sensitive bug fixing operations would be carried out in complete privacy, but their decision to go public was influenced by the fact that attackers used the zero-day to compromise servers, and the researchers wanted to give webmasters the opportunity to mitigate the attacks.


Mitigation instructions are available on ImageTragick’s website. Proof-of-concept code (Metasploit modules) will be published later on today.

Hackers only need to find websites that allow users to upload photos

Because ImageMagick is at the base of many image processing libraries and modules, used across a large number of programming languages like Ruby, JavaScript, PHP, Java, and more, any website, running on any platform is vulnerable to this zero-day.

The only condition is that users are allowed to upload files to the server, and a large number of websites do via “user avatar” options.

The researchers declined to reveal any clues regarding the exploitation routine, but based on the mitigation advice, it involves magic bytes and ImageMagick coders.

Magic bytes are the first few bytes of a file used programmatically to identify the image type (GIF, JPEG, PNG, etc.). ImageMagick coders are ImageMagick modules that read and write data to specific image file types.

The researchers said that there’s an RCE (Remote Code Execution) bug somewhere in there, that allows attackers to write code to the server. If an attacker is skilled enough, he can upload a malicious image, which uses the zero-day to write a webshell to disk and uses it to take over control of the entire server.