Technical explanation for the infamous attack last year...

Discussion in 'Site Discussion' started by Yoshimaster96, Mar 26, 2017.

  1. Yoshimaster96

    Yoshimaster96 Active Member

    I am very confused on how the attack happened last year. I know it was detrimental, but as an amateur programmer, the nerd inside me was very curious as to how this happened on a technical level.

    A few months ago, I was chatting with a fellow fur, who shares my interest in vore as well as technology (the former being inapplicable to this story). I will refer to this person as Snake, since he may not want me to use his real username (not that we don't get along, just for the sake of privacy).

    To quote the message I sent him:
    "Call me someone who won't move on, but something about the attack on FA still confuses me, specifically the technological feat of getting an image to be run as if it were executable code. From what I know, that shouldn't be possible. If the image is uploaded to the server, then is displayed, that leaves no room to interpret it as code, it simply gets uploaded and isn't interpreted at all at that point. If it were code, it wouldn't display, or perhaps appear as garbled pixels, but that'd be it. Where is the point that a program would actually look at the data in the file, other than for displaying it? Even displaying it in a file/binary sense would be done on the user's computer as it recieved the file, not the server level, the server doesn't need to display the image."

    His reply was somewhere along the lines of "said files lying about their size"

    As this made no sense to me, I asked him how that could even happen. After all, if one were to count the bytes in a file, wouldn't that return its size? How could one use that maliciously?

    And that was the end. He stated that he would no longer try to explain, stating that I clearly didn't know anything about the Internet, let alone cybersecurity.

    Granted, he was right on that fact. My field of expertise in programming is procedural programming (as opposed to object-oriented programming). I also know a bit about how low-level programming and assembly relate. As for the Internet, I don't even have a clue how it works normally, without security threats. I had an "intro to computer science" class once, and that was one of the units that went over my head, mainly because I couldn't understand what the teacher was trying to explain, and didn't have the courage to ask for extra help.

    All in all, this thread is in hopes that someone can explain to me what exactly happened that fateful event.
     
  2. jayhusky

    jayhusky Well-Known Member

    To answer your question, the attack was based around an exploit in ImageMagick, the attack itself was called ImageTragick.

    Explanations both brief and in detail can be found at the following link: ImageTragick

    As for running an image as code, you could use the attack to gain access to the web server and insert code into a htaccess file which would allow you to change the file handler for a certain file type.
    Once done you can upload an image and it would output as the specified type.

    An example (without posting code) would be to add JPG files to output as PHP, then you could upload a standard JPG with hidden PHP code to the server and it would execute when the file was loaded, but looking to all intents and purposes a normal, non-malicious file.

    The only way to track which file launched the code would be to check the logs, which an attacker could potentially remove with the same code.
     
  3. Yoshimaster96

    Yoshimaster96 Active Member

    It says the exploit is "trivial", and doesn't really elaborate beyond that.
     
  4. jayhusky

    jayhusky Well-Known Member

    Without posting any code here it can be explained in the following way.

    An attacker can manipulate a standard jpg file to contain svg or mvg data, which when used in the right way would allow the attacker to "break out" of the image manipulation flow and execute their own commands.
    For example they could execute a bash script to open a connection to a remote server, which in turn gives them a remote access to the FA servers. Allowing them almost unrestricted access to the sites contents (both files and databases too)

    Once in, they can enact mass downloads of data and scrape whatever they would like.
    That is pretty much the exploit and attack in a nutshell.
     
  5. Yoshimaster96

    Yoshimaster96 Active Member

    Yeah, I know that. I was wanting more in-depth than that though. Like, how does the code get run? If you upload an image, wouldn't it just pass data from point A (client) to point B (server) without touching it? And when it needs to be viewed, it is sent back to the client to be interpreted as graphics, leaving no room for execution of any kind?
     
  6. quoting_mungo

    quoting_mungo Administrator Staff Member

    Keep in mind that the image needs to be processed by the server (using ImageMagick) in order to generate e.g. thumbnails. This, to the best of my understanding (I'm not on the tech team and this is outside my expertise), is what gave malicious embedded code an opportunity to run.
     
  7. jayhusky

    jayhusky Well-Known Member

    Quoting_mungo has the answer there.

    As the site processes the file to generate the thumbnail, that is the moment the script is given the chance to run. As it gets loaded into the executable to be processed, the file is loaded not only as a jpg, but thanks to the code inside, a bash script as well. This then executes, and since the imagemagick software is often running as the server process and not a restricted user process, it has full access to the filesystem.

    Once the code opens a backdoor too the server, an attacker has full to do as they please.

    Although once processed the output file is no longer a vulnerability as it has been created without the malicious code embedded.
     
  8. Yoshimaster96

    Yoshimaster96 Active Member

    !!HTML 101!!

    You can set the size of an image using the "width" and "height" properties. Additionally, GIF images will only show the first frame when resized.
    Custom thumbnails are easy with a little PHP and some if statements (IDK variable names):

    Code:
    if($rating==RAT_MATURE)
    {
        echo "<div class='ratingBorderMature'>";
    }
    else if($rating==RAT_ADULT)
    {
        echo "<div class='ratingBorderAdult'>";
    }
    if($custom_thumbnail_exist==$true)
    {
        echo "<img href='/path/to/custom_thumbnail.png' width='50' height='50'/>";
    }
    else if($submission_type != SUB_ARTWORK)
    {
        switch($submission_type)
        {
            case SUB_FLASH:
            {
                echo "<img href='/default/thumb_flash.png'/>"; //should already be 50x50
                break;
            }
            case SUB_STORY
            {
                echo "<img href='/default/thumb_story.png'/>"; //should already be 50x50
                break;
            }
            case SUB_POETRY
            {
                echo "<img href='/default/thumb_poetry.png'/>"; //should already be 50x50
                break;
            }
            case SUB_MUSIC
            {
                echo "<img href='/default/thumb_music.png'/>"; //should already be 50x50
                break;
            }
        }
    }
    else
    {
        echo "<img href='/path/to/submission_image.png' width='50' height='50'/>";
    }
    if($rating!=RAT_GENERAL)
    {
        echo "</div>";
    }
     
  9. quoting_mungo

    quoting_mungo Administrator Staff Member

    If you do this instead of generating separate thumbnails, anyone with a metered data plan will hate you. A primary purpose of thumbnails is to give a low-bandwidth-cost preview of content so users can get a general idea of what the content is without having to transfer a full-size data file.

    Also, the width and height attributes of the <img> tag are deprecated; you want to be setting those in CSS instead.

    Why in the world would you have a variable $true, though, or a variable/database field whose only purpose is to say whether another field is populated? More likely, you'd have something like "if(isset($custom_thumbnail))" or "if($custom_thumbnail != NULL)" or similar.
     
    Last edited: Apr 18, 2017
    Pipistrele likes this.
  10. jayhusky

    jayhusky Well-Known Member

    Setting the thumbnails height and width by HTML is irrelevant when you are discussing this attack.
    The HTML is purely from the rendered standpoint and yes it is used to define the max size the image can be on site pages when shown. However, the server runs the image via PHP through imagemagick and generates the thumbnail for the site.

    Why would you want to repeatedly download a 2K or 4K resolution file at near 10mb in size on a mobile phone with a metered connection? if that was commonplace a users data allowance on their tariff would be eaten through in record time.
    Hence why the server compresses, resizes and stores a multitude of different thumb sizes. it reduces the bandwidth used and saves the user from eating through any data allowances.


    While PHP can handle image resizing without a library such as GD or ImageMagick, I am almost certain FA does not do this, as it would require handling the raw binary image information within the script, and given the somewhat fragile way the code was built up over the years, it would be unlikely this method would ever been implemented. Also it would leave gaping vulnerabilities for security.
    By using well established libraries, FA minimises the risk of security issues with them as they are constantly updated and used by millions of sites, yes they can still happen, but the risk is significantly less with FOSS like GD or ImageMagick.

    Expanding on this, you should operate a field within the DB which records thumbnail type, which is set to either "custom", "scaled" or "default".

    If the field, when queried returns
    • custom, it goes to the defined path, such as "SERVER/storage/$art_type/$username/thumbs/thumb_$submissionid.$submission_title.jpg"
    • scaled, it goes to the defined path, such as "SERVER/storage/$art_type/$username/thumbs/thumb_$submissionid.$submission_title@$size.jpg"
    • default, it goes to the defined path, such as "SERVER/storage/default_images/thumbs/$art_type.jpg"
     
  11. Yoshimaster96

    Yoshimaster96 Active Member

    I still don't understand the code part. That's the part I wanna know. Specifically the part in "Detailed Vulerability Information", it just looks like random text.
     
  12. jayhusky

    jayhusky Well-Known Member

    A really short answer to this is that imagemagick can send images to be parsed by external libraries (hosted on the same server, but different software packages) to process the image.

    Since SVG & MVG files contain XML code they can be tampered with inject code which is sent to the server, run through imagemagick which reads the file, files a command asking it to do something, which it dutifully carries out and carries on.
    However that command could be file deletion, file movement or other such unpleasant activities.

    That is literally a breakdown of the Detailed information section, but cutting out code bits. All the random text is just shorthand code to perform tasks.
     
  13. Dragoneer

    Dragoneer Administrator Staff Member

    4lemon.ru: Facebook's ImageTragick Remote Code Execution

    For several months after FA was attacked using this vector Facebook was still vulnerable to it. Thankfully, a white hat contacted them about and provided proof of concept so they could shut it down. While we definitely regret that the attack happened the exploit was used almost immediately against FA after it was found, and well before we were made aware of it.
     

Share This Page