This morning we released the second episode of our new podcast series ‘Big Bugs’ hosted by me. This episode, embedded in this post and available on SoundCloud, takes a look at the recently popularized bug, ImageTragick. I discuss the detection and remediation time line of the widespread bug in the image processing suite, ImageMagic, as well as the implications it has for developers and researchers.

Resources:

Sources:

  1. https://imagetragick.com/
  2. https://make.wordpress.org/core/2016/05/06/imagemagick-vulnerability-information/
  3. https://news.softpedia.com/news/imagetragick-exploit-used-in-attacks-to-compromise-sites-via-imagemagick-0-day-503649.shtml
  4. https://news.softpedia.com/news/imagetragick-exploits-detected-in-live-attacks-against-vbulletin-ip-board-sites-503899.shtml
  5. https://lcamtuf.blogspot.com/2016/05/clearing-up-some-misconceptions-around.html
  6. https://resources.infosecinstitute.com/exploiting-imagetragick/
  7. https://blog.silentsignal.eu/2016/05/13/detecting-imagetragick-with-burp-suite-pro/
  8. https://eng.goprimer.com/fixing-imagetragick-in-rails-23f237a0bb6d#.plzivjevp
  9. https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-hack-websites-2/
  10. https://blog.sucuri.net/2016/05/analyzing-imagetragick-exploits-in-the-wild.html
  11. https://bobcares.com/blog/fix-imagemagick-vulnerability-imagetragick-remote-code-execution/
  12. https://news.ycombinator.com/item?id=11624109
  13. https://www.forbes.com/sites/thomasbrewster/2016/05/16/mr-robot-imagetragick-usa-network-wide-open-to-hackers/#4b293a6e2879
  14. https://cert.europa.eu/static/SecurityAdvisories/CERT-EU-SA2016-124.txt

 

Have questions for me? Continue the discussion on our forum and subscribe below to get monthly episodes of this podcast. You can also subscribe to the Bugcrowd podcast RSS feed.