ImageMagick bug in Facebook could have allowed remote execution of code

News by Rene Millman

Researcher gets $40,000 bounty for finding exploit that could have allowed an attacker to exploit ImageMagick to gain control of a Facebook server.

A security researcher discovered a vulnerability that could have allowed hackers to execute code remotely via sharing pictures on the social network.

According to a blog post by bug hunter Andrey Leonov, he found the flaw in October while testing another service (not Facebook), “when some redirect followed me on Facebook. It was a ‘Share on Facebook' dialog”.

Leonov said that Facebook still had issues with ImageMagick as late as last year.

Vulnerability CVE-2016-3714 allowed booby-trapped image uploads to fool the ImageMagick software into running commands, letting attackers remotely execute code on web servers and other computers and take over websites.

The vulnerability Leonov discovered was in the way that Facebook manipulates images using ImageMagick. He found that the application workflow gets an image parameter and requests it – this request is correct and not vulnerable. However, the received picture passes on the converter's instance which used a vulnerable ImageMagick library.

He said that he then tried to find a common way to exploit this http request but short tests showed that all outbound ports were closed. He then tried another method which led to the exploit, which he did not disclose in detail.

“For full proof that exploit works I provided Facebook security team with result of cat /proc/version output which is not going to publish here,” Leonov said.

“I am glad to be the one of those who broke the Facebook,” he added.

The ImageMagick tool has been found in the past to contain vulnerabilities that can lead to remote code execution (RCE) when user-submitted images are processed. These flaws were unearthed in April last year.

Once reported to Facebook, the social media giant patched it in a few days. Leonov claimed that he received $40,000 as bounty from Facebook in late October.

Ilia Kolochenko, CEO of High-Tech Bridge, told SC Media UK that he doubted that the flaw could directly affect Facebook users in a significant manner.

“In companies like Facebook, databases with user information are usually pretty well isolated from all unnecessary processes, services and machines, like servers used for image processing.

“Moreover, further exploitation of the RCE would quite probably require either compromise of the kernel (get root privileges) or to have an improper access control and lack of segregation on the vulnerable server. Both are hardly possible in Facebook's quite secure infrastructure. Nevertheless, highly skilled attackers can leverage this particular flaw to start an APT that would be not easy to detect on time. Therefore, it's great news that the vulnerability is now patched,” he said.

James Maude, senior security engineer at Avecto, told SC that as far as he can see, this vulnerability would allow an attacker to run commands on an isolated Facebook server, “However, given the distributed and isolated nature of Facebook's architecture, it is highly unlikely that there is any risk to user data.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews