Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
(am I sending my emails right?? I selected "Reply All.")
>> how do you guys test all of the potential PNG/JPG potential malware
payloads
>What's your use-case?
lol funny story.
I downloaded all of the github.com links ripped from the blackarch main
page (~8GB worth of repositories)
ANYWAYS
I wanted to see the pictures...start with the fun stuff first,
right?
So I went: `find -type f -name '*.png' -o -name '*.jpg' -exec cp -f '{}'
$SOME_DIR \;`
hehe then I was like OMG what am I doing when I saw a image name called:
Something like this:
Parser < 7.png
WHOA. my heart raced.
And I was like "I'm not ready for this."
So then I started imagining all of the stuff in those 1000+ PNG/JPG files
that I want to view with ristretto image viewer.
.and I was like: No way. No freakin' way.
I deleted all of the image files and then all of the cloned github.com
repositories.
NOT worth viewing.
I don't care if `file myfile.png` says "PNG file"
lol
On Mon, Jun 20, 2022 at 4:11 PM Sebastian Rose
wrote:
> Davide Prina writes:
> > Corey H wrote:
> >
> >> how do you guys test all of the potential PNG/JPG potential malware
> payloads
>
> What's your use-case? As I'm not aware of an vector for GNU/Linux in
> normal everyday use¹, I guess you host files for Windows clients?
>
> Did anyone mention ClamAV already? If so, please ignore me (sorry for
> not following closely...).
>
>
> - Sebastian
>
>
> ¹ One can execute every file on GNU/Linux. But the attack is that
> execution of a file, not the file (otherwise we'd have to consider `rm',
> `gpg', `scp', and many more malware, too).
>
>
> --
> As I was walking down Stanton Street early one Sunday morning, I saw a
> chicken a few yards ahead of me. I was walking faster than the chicken,
> so I gradually caught up. By the time we approached Eighteenth Avenue,
> I was close behind. The chicken turned south on Eighteenth. At the
> fourth house along, it turned in at the walk, hopped up the front steps,
> and rapped sharply on the metal storm door with its beak. After a
> moment, the door opened and the chicken went in.
>
> (Linda Elegant in "True Tales of American Life")
>
>
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
I feel like ClamAV would be the cheapest and easiest solution for handling png and jpgs, But like Sebastian said it does depend on use case. There are multiple av scanners/solutions but many are paid services, I've been using clam av for my email setup and it feel like it's been sufficient. You would need to enable png/jpeg extensions for ClamAV if that would be your plan and some sort of sandboxed environment for clamav/imagemagick iirc. P.S I've just subscribed to this list, so please excuse me if i repeated any information as I can't see this whole email thread. Shubo On 6/20/2022 12:10 PM, Sebastian Rose wrote: Davide Prina writes: Corey H wrote: how do you guys test all of the potential PNG/JPG potential malware payloads What's your use-case? As I'm not aware of an vector for GNU/Linux in normal everyday use¹, I guess you host files for Windows clients? Did anyone mention ClamAV already? If so, please ignore me (sorry for not following closely...). - Sebastian ¹ One can execute every file on GNU/Linux. But the attack is that execution of a file, not the file (otherwise we'd have to consider `rm', `gpg', `scp', and many more malware, too).
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
On Mon, Jun 20, 2022 at 09:25:38AM -0700, Noah Meyerhans wrote: > https://security-tracker.debian.org/tracker/source-package/imagemagick > > If you're processing data (images, videos, audio files, etc) from > unknown sources, it's a really good idea to use sandboxing of some kind, > ensure that sandboxes are never reused, and to ensure that only the most > minimal state possible (e.g. the output of the processing job) is > preserved after execution. The sandbox can use things like seccomp and > apparmor to enforce containment. Linux namespaces are useful as well: A > private network namespace that doesn't have access to the outside world, > a private mount namespace that has a unique root file system (ideally > read-only), etc. > > Containers, as implemented by podman, docker, and systemd-container can > help here by providing convenient interfaces to these process isolation > tools. Sorry, hit send before I mean to. The above is all about protecting against new, unknown issues for which the mitigation isn't known. For protection against known issues, of course, you should simply make sure you're running up-to-date versions of all your software. noah
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
On Mon, Jun 20, 2022 at 06:10:45PM +0200, Sebastian Rose wrote: > >> how do you guys test all of the potential PNG/JPG potential malware > >> payloads > > What's your use-case? As I'm not aware of an vector for GNU/Linux in > normal everyday use¹, I guess you host files for Windows clients? https://security-tracker.debian.org/tracker/source-package/imagemagick If you're processing data (images, videos, audio files, etc) from unknown sources, it's a really good idea to use sandboxing of some kind, ensure that sandboxes are never reused, and to ensure that only the most minimal state possible (e.g. the output of the processing job) is preserved after execution. The sandbox can use things like seccomp and apparmor to enforce containment. Linux namespaces are useful as well: A private network namespace that doesn't have access to the outside world, a private mount namespace that has a unique root file system (ideally read-only), etc. Containers, as implemented by podman, docker, and systemd-container can help here by providing convenient interfaces to these process isolation tools. noah
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
Davide Prina writes: > Corey H wrote: > >> how do you guys test all of the potential PNG/JPG potential malware payloads What's your use-case? As I'm not aware of an vector for GNU/Linux in normal everyday use¹, I guess you host files for Windows clients? Did anyone mention ClamAV already? If so, please ignore me (sorry for not following closely...). - Sebastian ¹ One can execute every file on GNU/Linux. But the attack is that execution of a file, not the file (otherwise we'd have to consider `rm', `gpg', `scp', and many more malware, too). -- As I was walking down Stanton Street early one Sunday morning, I saw a chicken a few yards ahead of me. I was walking faster than the chicken, so I gradually caught up. By the time we approached Eighteenth Avenue, I was close behind. The chicken turned south on Eighteenth. At the fourth house along, it turned in at the walk, hopped up the front steps, and rapped sharply on the metal storm door with its beak. After a moment, the door opened and the chicken went in. (Linda Elegant in "True Tales of American Life")
Re: How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
Corey H wrote: > how do you guys test all of the potential PNG/JPG potential malware payloads to check any file for potential malware you can use: chkrootkit rkhunter but you can also try with: binwalk <- detect/extract binary data in files string <- to detect strings in the image/audio file exiftool, exiv2 <- to detect metadata but in image/audio file you can hide also information with steganography[¹] you can try with: stegcracker stegosuite foremost I have read that you can determine if an image file has hidden content or not, but I don't know if there is a software that do only this check. Probably with histogram analysis[²] you can find suspected altered files. You can start read for steganalysis[³] and report here results. Ciao Davide [¹] https://en.wikipedia.org/wiki/Steganography [²] https://en.wikipedia.org/wiki/Image_histogram [³] https://en.wikipedia.org/wiki/Steganalysis -- My Privacy is None of Your Business https://noyb.eu/it
How do you guys handle PNG/JPG binary files with potential payloads for all the image viewers?
how do you guys test all of the potential PNG/JPG potential malware payloads for all of the image viewers (10+ at least in the repositories)? On #debian at Libera.chat IRC network they suggested it was up to the upstream software sources to I guesssomehow???...test the awful binary formats possible that are out there...? That's a 900%responsibility and 900%dangerous for them to do that. There has got to be something we can do. But who can risk it?
