May 05, 2016; 14:41
Jolle Carlestam
Fix for imagemagick vulnerability
Hello!
Ke made a Gitter lasso chat room alert about an exploit possibility recently found in ImageMagick.
https://imagetragick.com/
The recommended protection that we should all take is summarized as:
• Verify that all image files begin with the expected "magic bytes" corresponding to the image file types you support before sending them to ImageMagick for processing.
• Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”.
The second item is something that all server admins should do ASAP directly on their server.
The first item is for us Lasso developers to take care of in our code. Basically, before you send any kind of image data to ImageMagick make sure that it’s a proper image and not an exploit attempt.
Note, a simple call to image(some_binary_data) is all that’s needed! That will invoke ImageMagick and open up for exploit.
Some iteration between Ke and myself gave this possible solution. First, create a method that will sniff for proper ”magic bytes”.
define image_sniff(bytedata::bytes) => {
local(data = #bytedata -> sub(1, 30) -> encodehex -> asstring)
match(true) => {
case(#data -> substring(1, 8) == "00000100") return (: "ico")
case(#data -> substring(1, 12) == "474946383761") return (: "gif")
case(#data -> substring(1, 12) == "474946383961") return (: "gif")
case(#data -> substring(1, 8) == "49492A00") return (: "tif","tiff")
case(#data -> substring(1, 8) == "4D4D002A") return (: "tif","tiff")
case((#data -> substring(1, 8) + #data -> substring(13, 4)) == 'FFD8FFE04A46') return (: "jpg","jpeg")
case((#data -> substring(1, 8) + #data -> substring(13, 4)) == 'FFD8FFE14578') return (: "jpg","jpeg")
case(#data -> substring(1, 8) == "69660000") return (: "jpg","jpeg")
case(#data -> substring(1, 16) == "89504E470D0A1A0A") return (: "png")
case(#data -> substring(1, 8) == "25215053") return (: "ps")
case(#data -> substring(1, 8) == "25504446") return (: "pdf")
case(#data -> substring(1, 8) == "38425053") return (: "psd")
case(#data -> substring(1, 4) == "424D") return (: "bmp","dib")
}
return (: #data)
}
You can call this with some image bytes
local(filedata = file(’path/to/myimage.jpg') -> readbytes)
image_sniff(#filedata)
This will return a staticarray with file suffixes, if any of the image formats where found. In this case
(: "jpg","jpeg”)
It is then up to you to match that with the expectations you have for each place where you want the bytes sent to the image type.
For example, I have a method that can be used to compare arrays with arrays.
define array -> exists_in(m) => {
if(#m -> isa(::array) or #m -> isa(::staticarray)) => {
with v in #m do {
self >> (#v -> isa(::pair) ? #v -> value | #v) ? return true
}
else(#m -> isa(::map))
with v in #m do {
self >> string(#v) ? return true
}
else
fail(-1, 'Input of wrong type. Expected a map, staticarray or array')
}
return false
}
Combining the two methods can be done like so:
array('pdf', 'jpg', 'gif', 'tif') -> exists_in(image_sniff(file('path/to/myimage.jpg') -> read bytes))
array('pdf', 'jpg', 'gif', 'tif') -> exists_in(image_sniff(file('path/to/mytext.txt') -> read bytes))
This will return
true
false
Thanks Ke for the warning!
HDB
Jolle
#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso Lasso@lists.lassosoft.com
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>
May 12, 2016; 11:09
Steve Piercy - Website Builder
Re: Fix for imagemagick vulnerability
May 12, 2016; 15:28
John May
Re: Fix for imagemagick vulnerability
May 13, 2016; 00:16
Jolle Carlestam
Re: Fix for imagemagick vulnerability
May 12, 2016; 17:00
Steve Piercy - Website Builder
Re: Fix for imagemagick vulnerability
May 13, 2016; 12:09
Bil Corry
Re: Fix for imagemagick vulnerability
May 13, 2016; 11:43
Mason Miller
Re: Fix for imagemagick vulnerability
May 13, 2016; 18:26
Marc Vos
Re: Fix for imagemagick vulnerability
May 13, 2016; 09:35
Steffan Cline
Re: Fix for imagemagick vulnerability