Alert: RAW File Security Issue
luke_church
Registered Users Posts: 507 Major grins
Hi All,
This applies esp. to Macs but the advice in red also to every other platform that handles RAW files (Photoshop, DxO, IrfanView etc. etc.)...
Apple's latest security fix (or litany of fixes: 2007-003) includes a patch to a potential vulnerability in processing RAW files that I discovered whilst doing some security research.
A brief discussion of the issue can be found here:
http://lukechurch.blogspot.com/2007/03/beware-of-raw-files.html
Headline message: Patch your computer, and then beware of RAW files that you can't completly trust.
If you have to handle RAW files from people who you can't fully trust, contact me and I'll discuss what you could do about the problem...
Apple's disclosure can be found here:
http://docs.info.apple.com/article.html?artnum=61798
Relevant bits copied below
CVE-ID: CVE-2007-0733
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted RAW Image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the process of handling RAW images. By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of RAW images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Luke Church of the Computer Laboratory, University of Cambridge, for reporting this issue.
By patching your machine, you not only help yourself, but also help to protect the general community. Please do it when you can.
Be safe....
Luke
This applies esp. to Macs but the advice in red also to every other platform that handles RAW files (Photoshop, DxO, IrfanView etc. etc.)...
Apple's latest security fix (or litany of fixes: 2007-003) includes a patch to a potential vulnerability in processing RAW files that I discovered whilst doing some security research.
A brief discussion of the issue can be found here:
http://lukechurch.blogspot.com/2007/03/beware-of-raw-files.html
Headline message: Patch your computer, and then beware of RAW files that you can't completly trust.
If you have to handle RAW files from people who you can't fully trust, contact me and I'll discuss what you could do about the problem...
Apple's disclosure can be found here:
http://docs.info.apple.com/article.html?artnum=61798
Relevant bits copied below
CVE-ID: CVE-2007-0733
Available for: Mac OS X v10.4 through Mac OS X v10.4.8, Mac OS X Server v10.4 through Mac OS X Server v10.4.8
Impact: Viewing a maliciously-crafted RAW Image may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the process of handling RAW images. By enticing a user to open a maliciously-crafted image, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of RAW images. This issue does not affect systems prior to Mac OS X v10.4. Credit to Luke Church of the Computer Laboratory, University of Cambridge, for reporting this issue.
By patching your machine, you not only help yourself, but also help to protect the general community. Please do it when you can.
Be safe....
Luke
0
Comments
Thanks, we do our best
SmugSoftware: www.smugtools.com
adj. Infamous by way of being extremely wicked.
[Latin nefārius, from nefās, crime, transgression : ne-, not + fās, divine law.]
nefariously ne·far'i·ous·ly adv.
nefariousness ne·far'i·ous·ness n.
http://wall-art.smugmug.com/
Varies depending on the target platform.
The MacOS memory manipulation issue is rather more subtle than that, but I'm not going to release any details as to what the error was in case someone decides to try to exploit it.
SmugSoftware: www.smugtools.com
Portfolio • Workshops • Facebook • Twitter
moderator of: The Flea Market [ guidelines ]
Oh, you can touch them, just not on a Mac.
Portland, Oregon Photographer Pete Springer
website blog instagram facebook g+
How many people or companies use RAW files not shot by themselves?
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
Portfolio • Workshops • Facebook • Twitter
Dgrin FAQ | Me | Workshops
That is way to specific...they are finally after me! To the bunkers!!!
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
Pack plenty of lattes.
Dgrin FAQ | Me | Workshops
10,000 packets of freeze-dried latte mix...check
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
I respectfully disagree.
1. Whilst this isn't a very common usage, it suffers from a serious social engineering attack: 'Here's an image file (which most people assume are a 'safe' format), for you to look at'. We can even arrange it so that the preview looks valid, then as soon as you open it, we own your machine. Whilst this isn't very common, it's easy to trick people into performing...
E.g. someone claims to be sending you in that format for any number of specious reasons, such as quality, proof of originality etc. Or just genuinely asking for help.
In the most extreme case we can make the preview look like soft-pornography. This has a dramatic effect on uptake see the Anna-Kornakova (or however you spell it) virus.
2. The serious problem is that Apple went and built the functionality into their OS. If it had been a 3rd party only exploit then it could only have been used for directed attacks due to the epidemology of population where less than 1% of the machines are vulnerable, unfortunately as MacOS built it into the platform, that's a 5% attack base for free.
I have no idea what they have done with their server platform as I don't have a MacOS server to test. I also have no idea what-so-ever why RAW viewing code should be running on a server, I seriously hope it wasn't in the default build. But I hope not, and at least they've now fixed the issue....
So hopefully you see, that whilst I agree with you that the answer is not many, the social engineering potential means that this answer doesn't matter in order to make this exploit dangerous....
The other issue is that we're beginning to see increasingly targetted attacks against companies, unless people apply the patch and the issue becomes known this would be an ideal vector as people consider RAW files to be 'safe'...
Luke
SmugSoftware: www.smugtools.com
Thanks.
Absolutely not. :-(
I reported related issues to over 10 different organisations, many on the Windows platform. Most of the issues are still outstanding. As I suggested in my blog post, many of the companies do not have a security response procedure, so it's unlikely that this vulnerability will be fixed in their products anytime soon. E.g. Many don't have a way of distributing patches. Attacks of greater severity have been demoed on Windows + 3rd party App test machines.
The reasons I'm telling people this now is that anyone trying to exploit the issue maliciously now has enough information to search for the problem, so the race has already started and it's now an issue of how quickly can we get the majoirty of machines patched before they start trying to exploit things... (if they do)
And ideally let the people who handle dubious RAW files know quickly, so that the 'targetted attack' issue is diminshed in severity as well...
Sure. I have not seen any evidence that Linux platforms aren't vulnerable. Apple were you unique in that they went and built the issue into the default build of their OS, but that's the only thing that's different about them. (Oh and they've released a patch.
So in summary, the exploit is fairly specific as almost all exploits are, but there is strong evidence of related vulnerabilities in every platform that I tested. Patching status is variable, with some organisations not replying to my emails, some organisations replying and then I hear nothing from them and some patching the issues.
I would assume that all platforms and all 3rd party RAW processing code is vulnerable, unless you have any reason to think otherwise.
I can't really state which patches have fixed which problems, but I would **strongly advise people to patch their 3rd party RAW processing engines** if a patch is available.
Does that help?
SmugSoftware: www.smugtools.com
It's my belief that the patch fixes Apple's RAW hole.
However I don't have an Apple box to test stuff on and Apple declined to lend me one.
It is always possible that the patch is only a partial one, but my current understanding is that Apple believe that the patch fixes the issues in MacOS.
If you view your RAW files in another application, e.g. Photoshop, then it's entirely possible that the issue has not been completly resolved.
SmugSoftware: www.smugtools.com
Thanks, Luke!
Dgrin FAQ | Me | Workshops
SmugSoftware: www.smugtools.com
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
This is my point. It isn't common usage, so a low probablility vulnerability. Pretty strange way to attack folks, not likely to get much penetration.
e-mailing RAW files isn't easy to do, they tend to be rather large and many e-mail systems will reject them for reasons of file size. BTDT
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au
This is my recomended solution. You then have to be careful to prevent cross-VM leakage/attacks (e.g. shared file spaces are a common target). You probably want to then throw your VM away, i.e. reboot it without commiting changes to the undo disk.
This is the way I am advising people who have to handle any suspect files to deal with them.
Essentially you're just assuming that the RAW file is a program, so viewing it executes that program. Then assume that it's trashed your VM, just as a hostile program could, and if your VM environment is remotely worth it's salt (e.g. Xen, VMWare or MS VPC) you're still OK.
That's the way I do my testing....
SmugSoftware: www.smugtools.com
Perfect! This is fantastic, thank you a billion times.
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
Hi
I agree that it isn't a common usage, I disagree that that makes it low enough probability not to worry.
I'm not claiming that the world is going to end. But there are a number of factors that make this more serious than might generally be the case, and I don't think I agree with your analysis
I guess we're going to have to agree to disagree.
-> We've seen attacks dealing with far more obscure files than RAW files that achieved substantial damage. And this is even worse than many of them, on many platforms you don't even have to open the damn things, just viewing a folder that contains one of the compromised files triggers the thumbnailer to kick in, and the attack is launched.
-> emailing RAW files is only hard because of their size. We don't necessarily have to ship full RAW files in order to exploit the problem, even if we do, we might be able to pad them with a highly systematic pattern than a ZIP compressor would pack away to nothing.
-> emailing links can be made to work rather well. Phisers don't seem to be doing too badly...
-> The social engineering vector for this attack is unusally strong due to its nature of an image file. It's no where near as bad as the JPEG issues were, but we're dealing with a far less professional group of developers than we were back then.
I refuse to gamble on low pentration these days, we've been wrong so many times that it's just a daft game to play (IMHO).
SmugSoftware: www.smugtools.com
Dgrin FAQ | Me | Workshops
I think what he means is that the raw file itself can hide an executable.
"Failure is feedback. And feedback is the breakfast of champions." - fortune cookie
Yep. But my question is more about the discussion he's having with Waxy. I mean, I NEVER get RAW files from untrusted sources. Never.
BUT: I could easily get a file that I thought was something else...
Dgrin FAQ | Me | Workshops
The question is that if you did get one would your procedures be OK. E.g. would you save it in a folder and then view that folder in a program that can preview RAW files?
The files can hide in a few ways. Compressed file packages (zip, gzip etc), and behind URLs are the most common ones.
You probably don't want to rely on not getting such a file, people don't generally test to get things right first time when there's someone else (an attacker) trying every trick in the psychologists book to try and make them get it wrong. Eliminating the vulnerability through a combination of technical means and safe procedures is the way to go.
So the answer to your question isn't a simple one. It rather depends on the level of hiding one might expect...
SmugSoftware: www.smugtools.com
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au