Skip to content

landlock-lsm/workshop-imagemagick

Repository files navigation

Landlock workshop to sandbox ImageMagick

The goal of this workshop is to illustrate how sandboxing can mitigate vulnerabilities. To showcase usefulness of sandboxing, we'll use an old and vulnerable version of ImageMagick which has long been fixed, but all kind of applications could still be impacted by similar vulnerabilities.

The CVE-2016-3714 vulnerability, aka ImageTragick, is caused by an insufficient shell characters filtering that can lead to (potentially remote) code execution. Thanks to Landlock, we'll restrict the convert tool's access rights before it can get exploited by opening a malicious file, and then mitigate the impact of such vulnerability.

See the slides dedicated to this Landlock workshop.

Install tools

For this workshop, we will use Vagrant to set up a dedicated virtual machine (VM). Run the following commands as root according to your Linux distribution.

Arch Linux

pacman -S vagrant libvirt base-devel dnsmasq
systemctl enable --now libvirtd.service

See the Arch Linux libvirt tutorial for more details.

Debian or Ubuntu

apt install --no-install-recommends vagrant qemu-utils ruby-libvirt ruby-dev libvirt-daemon-system qemu-system

See the Debian KVM tutorial for more details.

Fedora

dnf install vagrant qemu libvirt
systemctl enable --now virtnetworkd

Start the VM manager

Start libvirtd if needed:

systemctl start libvirtd.service

We then need to allow the developer (an unprivileged user) to use libvirt thanks to a dedicated group:

usermod -a -G libvirt <user>

This group update will take effect the next time the user logs in. Alternatively, the user can update a shell session with:

su $USER

Create and start the VM

As an unprivileged user, clone this repository:

git clone https://github.com/landlock-lsm/workshop-imagemagick
cd workshop-imagemagick

The Vagrant VM provisioning may install 2 vagrant plugins on the host system, other commands are executed in the VM. After plugins installation (if any) Vagrant may ask to execute the same command again to proceed the VM configuration:

vagrant up

If the Vagrant plugin installation failed because of a dependency issue, you might want to run this:

VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1 vagrant plugin install --local

This may download a VM image (~330 MB) and packages (~230 MB). After the download is complete, it should take less than 4 minutes to install and build the requirements. It is OK to see a lot of build warnings because the ImageMagick source code is old compared to the build tools.

A virbr network interface will be created. On most systems this should work as is, but otherwise we may need to allow inbound connections (and routing) from the loopback interface according to host's firewall rules.

Create a snapshot of the VM

Just in case...

vagrant snapshot push

Connect to the VM

vagrant ssh

Test the VM

On the VM, run an ImageMagick command to test the attack:

convert /vagrant/exploit/malicious.mvg out.png

You should see the VM's SSH private key.

On the host system, check if you can copy files from the VM:

vagrant scp :out.png .
xdg-open out.png

You should see a white square.