I recently gave a talk at a Rails Meetup on the ImageTragick vulnerability and performed a live demonstration of an exploit on a sample Ruby on Rails application. Remote access was achieved by uploading an image containing code to the application.
- ImageTragick is a collection of security vulnerabilities publicly disclosed in May 2016 that affected the ImageMagick image processing library.
- The most critical vulnerability (caused by improper input sanitisation) potentially allowed remote code execution to give an attacker remote access to a system.
- Web applications that process user uploaded images with an unpatched version of ImageMagick is potentially vulnerable.
- File type spoofing protection provided by two popular Ruby on Rails file upload gems (Paperclip and Carrierwave) are not sufficient to prevent exploitable file types (e.g. SVG) from being uploaded.
- ImageMagick has been patched and updated packages were made available on major Linux distributions shortly after.
ImageMagick and ImageTragick
ImageMagick is an image manipulation library capable of processing a variety of image formats. The processing of images may be delegated to external libraries (e.g.
blender) via a
system() call. Given an SVG file referencing an external image, ImageMagick may use
curl to fetch that image. The URL string for the external resource is passed to
curl as a parameter.
It was discovered in ImageMagick that the URL parameter passed to
curl was not correctly sanitised which allowed attackers to potentially execute shell commands. This remote code execution vulnerability was publicised and branded as ImageTragick.
Bypassing file spoofing protection in Rails
The two most popular file upload libraries for Ruby on Rails are Paperclip and CarrierWave. Both libraries depend on ImageMagick for image processing. The two libraries provide file spoofing protection in the form of content-type and file extension whitelisting. While these protections are useful, they can be fooled.
Carrierwave trusts the spoofable content-type provided in HTTP request. Paperclip detects the file's MIME type by inspecting its contents which can not be spoofed. However Paperclip does not reject images identified as another image type. This allows SVG images to be accepted by Paperclip when SVGs are not on the whitelist.
Exploitable Ruby on Rails application
As part of the talk, I built a Rails application to demonstrate the vulnerability. In the live demonstration, I show it is possible to upload an SVG file to remotely execute code and gain remote access. The application code is available on GitHub and is also available as a Docker image. The creation or sourcing of an exploit is left as an exercise to the reader.
Updated packages were made available on May 16 for Debian and June 1 for Ubuntu. Prior to a patched version, users were advised to disable the unsafe calls to external libraries. Other suggested mitigation techniques include strong file format verification and sandboxing.