Abstract

We keep talking about the fact that ASM is an effective tool for protecting the 0-day attacks. Two years ago we were able to detect the shellshock exploitations attempts by detecting the carried commands that the shellshock was used to execute. More details are here: Mitigating the Unknown.

ImageMagick

ImageMagick, a very popular image editing library, has a new vulnerability which allows a code execution abusing an incorrectly parsed file format. We already wrote about ImageMagick in June because there were multiple CVEs about mishandling the MVG and SVG file formats, allowing abuse of ImageMagick based software to create and delete files, move them, and run commands, only by abusing incomplete input validation in ImageMagick’s file format. Sometime after the original CVEs another CVE showed up, allowing another attacker to execute an arbitrary shell command using the pipe character (“|”) at the start of the processed filename.

 

CVE-2016-5118

CVE ID for the new vulnerability is CVE-2016-5118 and just like the earlier CVE-2016-3714, it may allow the attacker to remotely smuggle and run shell commands on the server.
Luckily for us, ASM is great with mitigating the 0-day shell and code execution vectors and, therefore, nothing had to be reconfigured to keep our server safe from this attack.


CVE-2016-5118 exploitation attempt as it was detected by ASM.

In this particular example, ASM has detected using 3 ASM signatures:

echo sig_id 200003045,
cat  sig_id 200003065
/usr  sig_id 200003060
 

Conclusion

I believe that we have not seen the last CVE for the ImageMagick based software but ASM should be able to detect and block the exploitation attempts for the vulnerabilities that were already discovered and those which are yet to come.
We will continue to follow the issue and update the signatures when needed.