# What I must do when I have image attack



## mfaridi (Jan 19, 2009)

I use FreeBSD 7 and I install apache with phpbb and gallery2 and I do not use Firewall. 
I search my system and I find many pictures with include perl code , I use steghide for detect bad code in images , but steghide can not support GIF file , what I can do with kind of attack , 
what I must do this code can not damage my system , and can not make problem for FreeBSD ?


----------



## SirDice (Jan 19, 2009)

How do those images end up on your machine?!?


----------



## mfaridi (Jan 19, 2009)

SirDice said:
			
		

> How do those images end up on your machine?!?


He or She upload infected image by CMS and gallery2 , she or he do no  know that image has security risk


----------



## SirDice (Jan 19, 2009)

mfaridi said:
			
		

> He or She upload infected image by CMS and gallery2 , she or he do no  know that image has security risk



You can't embed code in pictures so s/he knows what s/he is doing.

This would probably mean your CMS or gallery is vulnerable to some injection attack. 

What CMS are you using? And which version?


----------



## Djn (Jan 19, 2009)

To clear things up.
You can hide anything in an image, but it's completely harmless unless someone then deliberately extracts it again and runs it - not the most likely scenario.

Of course, someone could be using images to transmit something illegal, but that's completely impossible to scan for - and not a software risk, anyway.

There has been one or two cases where windows has been vulnerable to specially crafted JPEG images, but that should be patched a long time ago - and it's still not a risk to your server.


----------



## mfaridi (Jan 20, 2009)

Djn said:
			
		

> To clear things up.
> You can hide anything in an image, but it's completely harmless unless someone then deliberately extracts it again and runs it - not the most likely scenario.
> 
> Of course, someone could be using images to transmit something illegal, but that's completely impossible to scan for - and not a software risk, anyway.
> ...


 Thanks
but I see one of this file , when I open GIF file with MC , I see  perl code is hide .
and this code want see /etc/passwd and  do many thing and can delete many thing.


----------



## SirDice (Jan 20, 2009)

A file ending in .gif or .jpg is just that, a file ending in .gif or .jpg. Those three letter extensions have nothing to do with what the file actually is. 

So that "gif" was uploaded to your gallery in the hopes of exploiting some weakness in the software. Definitely not uploaded "by accident".


----------



## kamikaze (Jan 20, 2009)

Your system needs a serious security hole for someone to be able to remotely execute the scripts in these files. Unless there is some kind of stack or buffer overflow exploit for your software, it won't do anything. What you can do is to use some image processing library and deny everything that this library cannot handle.


----------



## tingo (Jan 20, 2009)

mfaridi said:
			
		

> Thanks
> but I see one of this file , when I open GIF file with MC , I see  perl code is hide .
> and this code want see /etc/passwd and  do many thing and can delete many thing.



Ok, so what you are saying is that somebody uploaded a file that is named like an image (file.gif) but instead contains perl (or other) script code?


----------



## mfaridi (Jan 21, 2009)

tingo said:
			
		

> Ok, so what you are saying is that somebody uploaded a file that is named like an image (file.gif) but instead contains perl (or other) script code?



Yes


----------



## mfaridi (Jan 21, 2009)

after user open GIF file , perl code start and go  to /etc/passwd and see there and make change


----------



## SirDice (Jan 21, 2009)

You need to have a serious look at the way people are uploading "pictures" on your server.


----------



## mfaridi (Jan 21, 2009)

SirDice said:
			
		

> You need to have a serious look at the way people are uploading "pictures" on your server.



Yes I must do this 
but what I must do , if someone upload BAD gif and run that , my FreeBSD do not HACK
what I must do  for FreeBSD


----------



## SirDice (Jan 21, 2009)

First off all, I hope your webserver isn't running as root. It shouldn't. If it's not running on root, you could trigger scripts remotely but the script won't be allowed to edit /etc/passwd.

Can you post an example of such a "picture"?


----------



## kamikaze (Jan 21, 2009)

I don't see is how it's possible to execute the files. This is an application problem, you cannot do anything on the OS side of things.


----------



## tingo (Jan 21, 2009)

@mfaridi:
As other have written in this thread - you need to look really, really hard at how your webserver and appication is set up.
First of all: you should take your webserver off the internet if you suspect that it is insecure. Keep it off until you have fixed all problem, and tested that it is not possible to abuse your server.

Regarding the file upoad problem, here are some things you can do
(how easy and / or practical they are depends on your application and how it s used)
-disable users ability to upload files at all
- make all uploaded files go into a queue for manual verification before they are published on the site
- perform automatic verification of file types, if a file isn't in allowed format, discard it.


----------



## SirDice (Jan 21, 2009)

tingo said:
			
		

> - perform automatic verification of file types, if a file isn't in allowed format, discard it.


Absolutely. Do NOT trust 'file extensions' or even mime types. 
Don't trust anything that gets uploaded to your server, period.


----------



## halplus (Jan 22, 2009)

Well simply ignore those files or delete them just so some user do not attempt to download it and execute. That is very likely not aimed at your server but at users downloading things from your server. Some server software usually cheks for extensions in order to filter wich is wrong insted of verifying the content wich would be the ideal, but then to change that could not be that trivial.


----------



## mainlink (Jan 22, 2009)

My guess is that the webserver's script (php?) does not validate uploaded files properly. Simply looking if a file extension reads .gif or .jpg is not sufficient (check mime-type instead).


----------

