WARNING: All Platform Admins should now check if they are vulnarable to ImageMagick exploit / using php and recompressing product images, user avaters, etc.

Today an exploit came out, allowing to upload a prepared jpg (actuallly it is a mvg), and as soon as php imagemagick or any other library using imagemagick (and there are lots of them) tries to access / recompress the uploaded picture, the shellcode inside gets directly executed.

Dependending on system architecture, the exploit could now send the real ip to an external server, open a remote shell allowing attackers to open a shell session to the server, compromissing wallets, stealing coins, or build up a trap (the government) which collects lots of datas, etc.

Not sure if all market places will be complete sandboxed and isolated, so only allowing the webserver port and one port for accessing the blockchain in and outside. Then de-anonymization of market place would not that easyy, but stealling coins and compromissing the system is still possible.

So my advise if to check now if you are vulnerable, and if so fix this asap- Check your logs for strange picture uploads, etc.

Since its so trivial (google "image magick exploit" first result) here the link (by hoping admins will fix this issue very very fast!)

http://www.theregister.co.uk/2016/05/04/imagemagick_exploits_in_the_wild/ (CW)


Comments


[1 Points] sapiophile:

Workaround for hosts (via https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html ):

follow the ImageMagick developers recommendation and edit the /etc/ImageMagick/policy.xml file and disable the processing of MVG, HTTPS, EPHEMERAL, and MSL commands within image files. In the section, add the following lines:

<policymap>
...
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>"

If you can not make those changes, I recommend disabling the image upload functionality for now until you can properly patch. Better safe than sorry.

Another important point from the ImageMagick devs via https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588 :

Also, remove "-title &quot;%l &quot;" from the delegates.xml configuration file for the show and win delegates or remove these completely. The %l property is not sanitized so it could be exploited.

More info and mitigations at https://imagetragick.com/


[18 Points] alphabaysupport:

We confirm that Alphabay is not vulnerable to this exploit. The logs show that it has been tried, but doesn't work.


[15 Points] DNMthrowaway187:

This should be bumped to the top or stickied for a day or two, that's a big gaping hole that needs to be filled


[9 Points] oasismarket:

Hello,

We would like to let everyone know that we've never used ImageMagick, so we've never been vulnerable to this.

Oasis


[6 Points] OutlawAdmin:

Outlaw was not affected by this either.


[3 Points] at69:

.


[4 Points] dankrussian:

Woah. That's big. Good looks bro


[2 Points] dnmnubbin:

Is there anything the end user can do to protect themselves from this?


[2 Points] None:

[deleted]


[1 Points] None:

[deleted]


[1 Points] predajca:

This is why i love this community ... We now rather be use GraphicsMagick


[1 Points] shepik:

Also, it is NOT php only vulnerability. Everything using imagemagick is affected. Like Ruby’s rmagick and paperclip, and nodejs’s imagemagick


[1 Points] sullyrb:

as a nobody that just buys weed, does this mean absolutely fuck all to me? this is for vendors or marketplace admins right?


[1 Points] None:

Imagemagick is widely used I would hope that anyone in charge of market dev is naturally on top of this stuff.


[1 Points] NightSymphony:

Acropolis market is not vulnerable to this exploit. We had someone trying yesterday. No bananas for the hackers from us on this score. A huge thank you to unknown_walker for giving the topic light.


[1 Points] drugsarefun21:

OP how did you find out about this exploit?


[-1 Points] billy5x5:

lol php again