lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: mettlers at thehive.ch (mettlers@...hive.ch)
Subject: avoid jpeg overflow problems using on the fly conversion?

while discussing the jpeg overflow problem and remembering the similar bmp
issue, one of my co-workers (thanks lars) brought up the idea of
sanitizing jpgs on the gateway level. google found me no hints for
existing stuff except a modified micro_proxy for converting png 2 jpg from
2001, when png support wasn't widely available. The project is at
http://freshmeat.net/projects/png2jpgproxy/ and is derived from
micro_proxy at http://www.acme.com/software/micro_proxy/

looking at the code - i admit not being a programmer - i found it quite
simple to modify the program to use it for the exact opposite. 3 lines of
code need to be changed:

from &&(strstr(line,"image/png")))  png_translate=1;
to   &&(strstr(line,"image/jpeg")))  png_translate=1;
---
from printf("Content-Type: %s\r\n","image/jpeg");
to   printf("Content-Type: %s\r\n","image/png");
---
from conv_stream=popen("/usr/X11R6/bin/convert png:- jpg:-","w");
to   conv_stream=popen("/usr/X11R6/bin/convert jpg:- png:-","w");
---

i'm not able to deliver a decent patch-file, but you'll get the idea. It
seems to work fine, no change in html-code just a new mime-type and the
gfx-format changes of course.

imho on the fly converting jpg to png should mitigate the risk of getting
malicious jpeg's. while blocking jpeg for external mail might have a low
impact, doing the same for http is not really an option. Installing
MS04-028 in a larger environment might not be that easy either. Of course
micro_proxy/png2jpg runs via (x)inetd and might not be performant enough
to handle huge loads.

I don't know of any content screening product which sanitizes graphics,
their good at removing active script, exes, plugins etc. Converting
graphics might not be the most elegant way, but using this method in a
flexible way should help to react fast on similar security issues. One
could convert gif, bmp, you name it depending on new security issues
arising. Of course ImageMagick (convert) had it's issues in the past, but
i rather deal with issues on the proxy than with the ones on the
client/IE.

The conversion approach might be suitable for sanitizing other file types
like ms office (doc, xls) etc.

just an idea...

Regards
Sascha


Powered by blists - more mailing lists