2

Recently, one of my website was hacked by someone who uploaded an image (shell.gif) to my server.

I have put server side validation to check file extension + mime type of the image. However, they are still able to upload shell script using gif extension again.

Is there any better way to validate image file programmatically if they have any shell script signature beside two methods i mentioned above?

William Calvin
  • 327
  • 2
  • 9
  • How do you know that these checks are even done? Maybe they are bypassing your check using some other exploit (like possible Shellshock). – LvB May 22 '15 at 09:31
  • I have custom activity logs. I checked the logs and they actually uploaded an image but this image is actually a virus. – William Calvin May 22 '15 at 09:36
  • possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Deer Hunter May 22 '15 at 09:44
  • does the log actually log activity, or just intend? How is the file presented to the checker? What parameters are logged? – LvB May 22 '15 at 09:48
  • The logs shows attempted loading from certain form. Basically, if there is any form submitted. It will record all data in encrypted format. I decrypted them and I can see the name of the file uploaded and also the time. – William Calvin May 22 '15 at 10:04
  • 2
    @DeerHunter I don't think the OP is asking how to deal with the compromise as a whole. He's asking specifically how to better validate an image file. – RoraΖ May 22 '15 at 11:37

1 Answers1

4

The mistake isn't how you validate the file. You should never execute any file that is uploaded. Full stop. If an uploaded file is supposed to be an image, then the only thing you should do with it is present it to an image processing program to be opened.

In a sense, the entire desktop paradigm of guessing the correct program to open a file by looking at its name and/or contents is a terrible idea, and absolutely must not be used by servers, with untrusted data.

ddyer
  • 1,984
  • 1
  • 12
  • 20
  • 3
    Some Image hacks use Overflow exploits in Image libraries. (Exactly what you suggest to do) and than run code. – LvB May 22 '15 at 09:49
  • Those are by definition buggy image readers, and should not be used. There was one famously widespread instance of such a buggy reader, but it ought to be long extinct. There are always new exploits discovered, but trusting you image reader is not unreasonable. – ddyer May 22 '15 at 10:23
  • I know few image readers that implement there own parser, Most I have seen depend on libraries to do that (like the libnsgif0, libjpeg8 and libgd3 Libraries) Classifying them as 'buggy' is unfounded and shows lack of knowledge of how exploits work and where there a risk. – LvB May 22 '15 at 10:28
  • any image reader that can be tricked into running a shell script is buggy. – ddyer May 22 '15 at 10:44
  • by that definition all software is buggy ergo no software is buggy (of all are ... none are). It is to 'easy' to just blame the reader. it can be but without a specific version and program its nonsense to say all are. (I remember a bug in the Jpeg libraries included with microsoft products that allowed a overflow injection making all viewers on that platform 'buggy' as you call it.) – LvB May 22 '15 at 10:46
  • @ddyer Thanks.. good ideas. I turned it off executable. However, I am still wonder if there is still best possible way to validate image type beside extension and mime type. – William Calvin May 22 '15 at 16:48
  • If you're looking for uploaded images to be displayed by web browsers, there are only a few formats that are acceptable. You probably have other constraints too, such as file size and image size. I would write a perl script to open the image and validate or reject it, but depending on your environment and expertise level, there may be something more suitable available to you. – ddyer May 22 '15 at 19:23
  • I guess.. This is the only and best answer I get. Non executable directory is good prevention. If you want to have more effort, the only thing left is to check with antiviruses like nClam(.NET) to verify every uploaded files. Thanks @ddyer!! – William Calvin May 30 '15 at 16:15