This Week In Security: ImageMagick, VBulletin, And Dota 2

There are a few binaries that wind up running in a bunch of places, silently do their jobs, and being easily forgotten about. ImageMagick is used on many servers for image conversion and resizing, and tends to run automatically on uploaded images. Easily forgotten, runs automatically, and with arbitrary inputs. Yep, perfect target for vulnerability hunting. And the good folks at Metabase found two of them.

First up is CVE-2022-44267, a Denial of Service, when ImageMagick tries to process a rigged PNG that contains a textual chunk. This data type is usually used for metadata, and can include a profile entry for something like EXIF data. If this tag is specified inside a text chunk, ImageMagick looks to the given value as a filename for finding that profile data. And notably, if that value is a dash -, it tries to read from standard input. If the server’s image processing flow doesn’t account for that quirk, and virtually none of them likely do, this means the ImageMagick process hangs forever, waiting for the end of input. So while that’s not usually a critical problem, it could be used for a resource exhaustion attack.

But the real problem is CVE-2022-44268. It’s the same trick, but instead of using - to indicate standard input, the processed image refers to a file on the server filesystem. If the file exists, and can be read, the contents are included in the image output. If the attacker has access to the image, it’s a slick data leak — and obviously a real security problem. If a server doesn’t have tight file permissions and isolation, there’s plenty of sensitive information to be found and abused.

The fix landed back in October 2022, and was part of the 7.1.0-52 release. There’s a bit of uncertainty about which versions are vulnerable, but I wouldn’t trust anything older than that version. It’s a pretty straightforward flaw to understand and exploit, so there’s a decent chance somebody figured it out before now. The file exfiltration attack is the one to watch out for. It looks like there’s an Indicator of Compromise (IoC) for those output PNGs: “Raw profile type”. Continue reading “This Week In Security: ImageMagick, VBulletin, And Dota 2”

Modernizing C Arrays For Greater Memory Safety

Lately, there has been a push for people to stop using programming languages that don’t promote memory safety. But as we still haven’t seen the death of some languages that were born in the early 1960s, we don’t think there will be much success in replacing the tremendous amount of software that uses said “unsafe” languages.

That doesn’t mean it’s a hopeless cause, though. [Kees Cook] recently posted how modern C99 compilers offer features to help create safer arrays, and he outlines how you can take advantage of these features. Turns out, it is generally easy to do, and if you get errors, they probably point out unexpected behavior in your original code, so that’s a plus.

We don’t think there’s anything wrong with C and C++ if you use them as you should. Electrical outlets are useful until you stick a fork in one. So don’t stick a fork in one. We really liked the recent headline we saw from [Sarah Butcher]: “If you can’t write safe C++ code, it’s because you can’t write C++.” [Cook’s] post makes a similar argument.  C has advanced quite a bit and the fact that 30-year-old code doesn’t use these new features isn’t a good excuse to give up on C.

Continue reading “Modernizing C Arrays For Greater Memory Safety”

Homebrew Ball Drop Machine Rings In The New Year

The New Year’s Ball Drop in New York City stems from an old English naval tradition. These days, it’s more of a celebratory thing, and [Jon Gonzalez] wanted to bring a bit of that joy to his own celebrations. Thus enter the Ball-Drop-O-Matic 3000.

The ball itself consists of two 3D printed halves assembled together with a linear bearing in the middle. It’s loaded up with a ton of addressable LEDs to give it plenty of flash, pomp, and circumstance as it rides down the flagpole. Animations are coded in to the K-1000C display controller using LEDEdit2014, an older piece of software which can turn Flash animations into commands to run WS2812B LED strips.

Lowering the ball is handled by a motorized winch. The winch is mounted at the base of the flagpole for aesthetic reasons, with the cable travelling up to the top of the pole, over a pulley, and back down to the ball. The descent speed is set to countdown the last minute of the year, with numbers animated on the ball itself.

The build was clearly a great addition to [Jon’s] New Years celebrations, even if it wasn’t quite finished until 9:35 PM on the big night. We’ve seen other fun ball drop builds before, too.

Continue reading “Homebrew Ball Drop Machine Rings In The New Year”