Every Now And Then The World Of FLOSS Messes UP

“If you’re using ImageMagick on your website to identify, crop, resize or tweak pictures provided by your users, you must make sure you’ve applied these mitigations, and tweaked your code to only accept valid image files. Sandboxing ImageMagick is also a good idea.”
 
See Server-jacking exploits for ImageMagick are so trivial, you’ll scream
Yep. This is one of those widely used FLOSS tools that has big holes in security. It’s again one of those vulnerabilities where images are treated as code with no checking/sanitizing.

ImageMagick is a tool I use widely. Fortunately, it’s not exposed to users on this blog and at home TLW mostly uses it with images that she produces, so exposure is limited. OTOH, it could take a week to do a major rewrite and distribution of the package. To be safer, I could switch to another image-processor locally or use these tweaks. This is very embarrassing as ImageMagick has been around for many years. Somehow, the authours learned nothing from hundreds of similar exploits of That Other OS.

On a lighter note, I’ve been helping TLW learn to use ImageMagick through Coppermine Photo Gallery on Beast and setting up a nice database of images mostly of plants and fruits and vegetables. It will be very useful when discussing horticulture at our next big party.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , , , . Bookmark the permalink.

59 Responses to Every Now And Then The World Of FLOSS Messes UP

  1. oiaohm says:

    Services under windows are isolated from user actions but not from each other properly.
    Some one cannot read this line. This line does not apply to XP or before only applies to systems with session 0 isolation. Why XP and before first user on the system used session 0 so did ever service on the system.
    Wizard Emeritus
    Of course you conveniently forget about session 0 isolation, a major change to windows that has been in place since windows vista
    I did mention session isolation just I did not say vista or newer. Just because you cannot read and want to skip over have typed without reading it all then making up an agreement that you can think you have won. So in this case you are the complete loser.

    In fact the pdf about session 0 if you read it carefully is also clear on that point. Session 0 is shared between services that brings some security issues of it own. Its better than XP and before where user and services were sharing the same sessions lots of the time.

    Dr Loser you need to go and read what Microsoft supports by shim that were added in XP to run older applications. Like the one that disable buffer overflow protection and NX protection when someone happens to be running an old visual basic application made with particular version of visual basic this even happens on Windows 10 because the shim system lowers some security settings so old 9x applications can still run. Of course attackers can exploit this to get around some of the newer windows security additions. So yes there are a list of 9x attacks that still work against Windows 10 due to the shim system for compatibility. At some point Microsoft really need to kill off these 9x compatibility shims no matter how much end users scream.

    Uh, bugs created in Lose ‘9x still appearing in “10”? How do they manage to copy those bugs? It’s easy: “cp Lose ‘9x/some.dll 10/some_v47.dll”
    Robert Pogson really it the tip of iceberg called backwards compatibility. Too much backwards compatibility in fact means keeping very old security flaws alive.

  2. DrLoser wrote, “I don’t suppose you will ever admit that you have been running X on Beast since day one, will you?”

    Beast was my PC for ages. Why would I not have X running on it? It was never intended to be a super-secure machine. I used it in my home and in computer labs and a few classrooms and a conference. The imminent ARMed replacement may well run without X, simply because there’s no video interface to start. BTW, my practice with most installations of Debian is to do a minimal install without X and install what I want after the first boot. That ensures I don’t pull in GNOME and KDE, stuff I don’t usually want. So, Beast was probably headless for a few minutes at least… It was so long ago, I don’t remember exactly except I know it was Debian GNU/Linux and I was in Nunavut. That’s when I upgraded to AMD64 and donated the old Beast’s motherboard to the students’ lab downstairs where it ran 24 clients with ease and reliability.

  3. Dr Loser says:

    Uh, bugs created in Lose ‘9x still appearing in “10”? How do they manage to copy those bugs? It’s easy: “cp Lose ‘9x/some.dll 10/some_v47.dll”

    Quite apart from the fact that almost all Wintel PCs are now 64 bit, which means that your interesting little noddy attack won’t work, Robert … why would anybody who is not a senile destructive lunatic ex-teacher who wants to force Linux on defenceless schoolchildren even want to do this?

  4. Dr Loser says:

    And I don’t suppose you will ever admit that you have been running X on Beast since day one, will you?

    Oh well. We’ll just have to take that obvious fact for granted.

  5. Dr Loser says:

    How about new, improved and easy? That’s what some folks parrot today, if only you keep buying M$’s latest product you’ll be OK.

    Frothing again, Robert. I seem to have got to you, for some reason. Which is odd, because I only really wanted to discuss headless servers in a sane and informative manner.

    But since you ,b>yet again wish to pursue a diversion, perhaps you would favor us with a cite?

    Probably not though. Evidence really isn’t your gig, is it?

  6. The Wiz wrote, “you infer that Windows 10 design is still somehow majorly effected by windows 9x. DO you have any real proof of this, or is this just more blind ignorant bigotry.”

    Uh, bugs created in Lose ‘9x still appearing in “10”? How do they manage to copy those bugs? It’s easy: “cp Lose ‘9x/some.dll 10/some_v47.dll”

  7. Dr Loser wrote, ” Which part of the “failing servers” bit do M$ not tell their customers?”

    How about new, improved and easy? That’s what some folks parrot today, if only you keep buying M$’s latest product you’ll be OK. That’s a lie. Folks are just applying more locks and chains to their ankles and wrists.

  8. Dr Loser says:

    Should I have written any code to make someone’s life difficult? No. I never did.

    There’s precious little evidence that you have written any code to make someone’s life easy, either.

    I guess it’s a wash, really.

  9. Dr Loser says:

    Oh, they never tell the buyer that.

    Which part of the following direct quote from you does that apply to, Robert?

    M$ wanted their servers to fail so they could sell more software. That never made any sense to me but M$’s salesmen fooled many with that line.

    It doesn’t apply to any of it at all, does it? Let me ask you a simple question. Which part of the “failing servers” bit do M$ not tell their customers? Which part do they tell them to “fool them … [and] sell more software?”

    ‘Fess up. You were telling porkies, weren’t you?

    It’s what they are thinking or discuss amongst themselves.

    In relation to supplying a server with an enforced GUI interface? It’s still a diversion, in fact an evasion, Robert. And it’s still beside the point. But unless you have evidence that (to use your words) a M$ salesman has said any such thing at a point where Windows Servers were available, which let me remind you is some temporal distance removed from your bleating DoJ drivel, then one can only conclude that you are pulling your paranoid fantasy out of thin air.

  10. Dr Loser says:

    Technically, btw, if you do use X on Beast, it would be an X Client. But of course you knew that.

    And the X servers would be running on your various $50 bits of reclaimed hardware. Which would make them “Thin Servers,” not “thin clients.” But of course you knew that too.

    I assume an honest answer to my question will be forthcoming shortly.

  11. Dr Loser says:

    It’s perfectly OK not to have an Xserver on a headless GNU/Linux terminal server.

    Indeed it is, Robert. Perhaps, given the fact that we both agree on this, you would answer the question directly, for once.

    Do you or do you not run X on Beast?

  12. Wizard Emeritus says:

    “I’ve designed a lot of software. Number one issues were correctly and efficiently accomplishing some task on the computer. Should I have written any code to make someone’s life difficult? No. I never did. M$ should not have done that. By locking in the world to that crapware, they locked themselves into producing an inferior product for a generation. What a sad waste. What a burden on humanity.”

    You seem to forget that the ancient DOJ emails that you keep coming back to talk about talk about an extremely obsolete version of windows tat has been out of production for over 15 years. Also gone are most if not all of the players referenced. Yet you infer that Windows 10 design is still somehow majorly effected by windows 9x. DO you have any real proof of this, or is this just more blind ignorant bigotry.

  13. DrLoser, showing great ignorance, wrote, “By the way, are you really claiming that the Beast doesn’t run X? Because if it doesn’t, that’s surely going to make your dream of Thin Clients Everywhere a little difficult to achieve.”

    Applications, in GNU/Linux usually connect to an Xserver somewhere, often on the client machine where the application runs but also on the client machine remote from a server where the user’s application runs. It’s perfectly OK not to have an Xserver on a headless GNU/Linux terminal server. In labs, I often used Beast or another machine as an extra client so it did run an Xserver but in Easterville, where the servers were locked away in a rack in server rooms, no Xserver was required on the server. There was an Xserver in the chroot shared by NFS with the thin clients, but the code was executed on the thin clients, not on the server. X as you know is quite insecure but by making the terminal server headless, one gets a big improvement. Another often used protocol is to ship X-traffic over OpenSSH.

    Dr Loser also wrote, “A line which no Microsoft salesman in history has ever uttered, a line which you personally have never heard, and a line for which you have precisely no evidence whatsoever.”

    Oh, they never tell the buyer that. It’s what they are thinking or discuss amongst themselves. You can see that in the e-mails in evidence in US DOJ v M$:
    Exhibit 540

    “From: Jim Allchin
     
    To: Bob Muglia; Chris Jones; James ‘J’ Allard; Dan Rosen
    Cc: Paul Maritz; Nathan Myhrvold
     
    Subject: RE: Netscape
     
    Date: Thursday, July 13, 1995 7:39AM
     
    I have a different perspective.
     
    I think we must sell a packaged product “commerce server” which is the a new edition of the Internet Server. (Some of you may not be aware of our ideas on packaging the Internet Server into two pieces:
    Internet Server: Publishing Edition and Internet Server: Internet Access Edition. What I would like to see is a Intemet Server: Commerce Edition.)
     
    We should NOT tum this basic package over to Netscape. That doesn’t make any sense to me. There will be significant money in this area. However, after we have this horizontal platform, then I hope we will get tons of lSVs tailoring it for flowershops. drug stores, etc. This is the SP opportunity assuming customization is easy using Office, VBA, etc.
     
    jim”

    That’s Jim Allchin, “He assisted Microsoft in creating many of the system platform components including Microsoft Windows, Windows Server, server products such as SQL Server, and developer technologies. He is best known for building Microsoft’s server business.”, talking with Dan Rosen, general manager of M$, who was contributing ideas how the OS should be designed to mess with Netscape. Does anyone have any reason to be confident of a product designed that way? I’ve designed a lot of software. Number one issues were correctly and efficiently accomplishing some task on the computer. Should I have written any code to make someone’s life difficult? No. I never did. M$ should not have done that. By locking in the world to that crapware, they locked themselves into producing an inferior product for a generation. What a sad waste. What a burden on humanity.

  14. Dr Loser says:

    I’ve used 2000 and 2003 and WSUS.

    For some definition of “used.” And a long time ago. Your experience is no longer relevant, Robert.

    I’ve no idea what experience Dr Loser has if he doesn’t know M$ built in a GUI.

    I’ve no idea what you are smoking, if you think that’s what I said.

    It wasn’t optional until recently, 2012 or so.

    Diversionary, and not to the point. As I say, I wasn’t talking about the presence of a GUI. I was talking about headless servers.

    Still, since you ask: Windows Server 2008.

    M$ wanted their servers to fail so they could sell more software.

    Fatuous. I presume you are thinking of your experience with Cadillacs. Obviously GM wanted your Cadillac to fail so that they could sell you more Cadillacs.

    (Not a conspicuously successful strategy, if that was indeed their intent.)

    That never made any sense to me but M$’s salesmen fooled many with that line.

    A line which no Microsoft salesman in history has ever uttered, a line which you personally have never heard, and a line for which you have precisely no evidence whatsoever.

    None of this has anything to do with headless servers, but it’s interesting to see you working yourself up into a synthetic rage over something you have no recent knowledge of, and could barely comprehend ten years ago, even on the limited personal experience you gained back then.

    By the way, are you really claiming that the Beast doesn’t run X? Because if it doesn’t, that’s surely going to make your dream of Thin Clients Everywhere a little difficult to achieve.

  15. Wizard Emeritus wrote, ““The assertion was that TOOS was wonderful and always has been.”
     
    No it was not. Deaf Spy’s assertion was in the present tense. You on the other hand continue to ride the hobby horse of your personal experiences with versions of windows desktop and server that are at least a decade gone.”

    Uh, Dr Loser wrote, “Do you have an M$ equivalent failure to that? No you do not.”

    So, the conversation is about more than what Deaf Spy wrote and the Wiz knows it. Remote code execution by a remote fiend not logged in to TOOS has happened and I would bet will happen again despite M$’s best efforts to patch it’s shipwreck of an OS.

    I wrote this in a comment long ago here:
    “It all stems from M$’s number one priority being to make outrageous profits. To do that they have to screw all competitors and lock in users. That’s a heavy burden to put on every programmer in the place. Every extraneous API, restriction in EULA, obfuscation of code, restriction in performance etc. are designed by salesmen to lock in the whole world of IT, not to get the job of computing done by the most effective means. Fortunately for us, that complexity prevents M$ from releasing two reasonable releases in a row or having a reasonable upgrading/updating process and giving us half a decade between reasonable releases. So, the world has innovated and worked around the problems M$ created by using FLOSS on ARM or Intel/AMD. For me, even trying to understand the EULA and to comply with it within a budget was impossible whereas I could bring world-class IT to the whole LAN for $0 on the budget. For that low price I got wonderful software that actually did what it was supposed to do: create, find, modify and distribute information. The world doesn’t need to slave for M$ for free when the world can have software like Debian GNU/Linux and all the data of the web for (nearly) free instead.”

    That’s still relevant today. TOOS was not designed to be a secure OS from the beginning whereas *NIX OS had a long head start on concepts that are fundamental to security. M$ shipped nothing to do with security until NT. Certainly Lose ‘9x had zero security. Every user could crash it by opening enough windows or starting enough applications. In one of my experiments, 4 windows was enough combined with the office suite. Anyone who thinks someone who designed a client system like that could make a good server OS based on the same code and vulnerabilities is nuts.

  16. Dr Loser wrote, “tell me what happens when you deploy a Linux application with a statically linked glibc that just happens to have a security vulnerability?”

    Well, you have a vulnerability until you replace that application with the patched version. This is actually a huge plus for the way most FLOSS applications ship, as source code or a dynamically linked binary. Patching one library fixes them all. Thank you, Debian, for taking care of that for me. I think the only static binaries I have come in Chrome browser and that damned flash plugin. vrms says I have 0.1% non-Free packages. I’m not worried about this issue.

  17. Wizard Emeritus says:

    “Wizard Emeritus, exhibiting the ugly “American” tendency to tell others what to think, wrote, ”

    An accusation I find particularly funny coming from someone who presumes to tell the entire IT world what he believes is the “right” thing to do with IT and then dismisses them as slaves when they don’t follow his dictates.

    Pot, meet Kettle…

    “I bet he’s a crashing bore at a party… 😉”

    I’m not the one continually lecturing the world on evils of microsoft. You must be fun in gatherings where you get on your FOSS hobby horse.

  18. Wizard Emeritus, exhibiting the ugly “American” tendency to tell others what to think, wrote, “What you personally think about windows in particular is quite simply irrelevant to the discussion.”

    I bet he’s a crashing bore at a party… 😉

    I’m in a good mood. I’m grooving to an oldies radio station at the moment. Life, and IT, were simpler in those days. One used what worked and discarded the rest. Now we have to worry what strangers on the web think… I can’t be bothered. My corn is about to emerge followed by beans shortly after. I still haven’t fired up the Chinese rototiller and planted my sunflowers and pumpkins. Been hurting dandelions and keeping things watered in hot weather. TOOS didn’t work for me and others. I’m glad I found GNU/Linux and spread the word.

  19. Wizard Emeritus says:

    “The assertion was that TOOS was wonderful and always has been.”

    No it was not. Deaf Spy’s assertion was in the present tense. You on the other hand continue to ride the hobby horse of your personal experiences with versions of windows desktop and server that are at least a decade gone.

    ” I really don’t care if it’s absolutely perfect today. It’s the wrong way to do IT, paying ransom to M$ for permission to run your hardware when GNU/Linux is available with a FREE licence that costs $0 and it works for people and was not designed by salesmen.”

    What you personally think about windows in particular is quite simply irrelevant to the discussion. In fact when you bring in what amounts to nothing more so much verbal pissing into the wind, you do more to undercut any authority that you might be able to claim.

  20. Wizard Emeritus wrote, “that has been in place since windows vista”.

    The assertion was that TOOS was wonderful and always has been. It was crapware for ages. I really don’t care if it’s absolutely perfect today. It’s the wrong way to do IT, paying ransom to M$ for permission to run your hardware when GNU/Linux is available with a FREE licence that costs $0 and it works for people and was not designed by salesmen.

  21. DrLoser wrote, “which one of us has experience of Windows Servers?”

    I’ve used 2000 and 2003 and WSUS. I’ve no idea what experience Dr Loser has if he doesn’t know M$ built in a GUI. It wasn’t optional until recently, 2012 or so. M$ wanted their servers to fail so they could sell more software. That never made any sense to me but M$’s salesmen fooled many with that line.

  22. Dr Loser says:

    Yep. [Pog claims to recognize the difference between static and dynamic linking.]

    Excellent. Now tell me what happens when you deploy a Linux application with a statically linked glibc that just happens to have a security vulnerability?

  23. Dr Loser says:

    Uh, it’s a recent development in M$’s thinking.

    No it isn’t.

    Tell me, Robert, which one of us has experience of Windows Servers? You, or me?

  24. Wizard Emeritus says:

    “Both completely wrong Deaf Spy. Services under windows have what called session 0. Yes this is a GUI mode software only for services. Session 0 is a single graphical session share between all services say hell to cross isolation breach. So only security faults that depend on GPU drivers are disabled on windows services. Yes using gdi32.dll to draw stuff on in a service has been possible. Imagemagick on Windows running in php as part of iis web server on windows can be using gdi32.dll functions.”

    Of course you conveniently forget about session 0 isolation, a major change to windows that has been in place since windows vista

    https://www.2brightsparks.com/resources/articles/understanding-windows-sessions.pdf

    Loser

  25. oiaohm says:

    http://stackoverflow.com/questions/2464182/windows-2008-renderfarm-service-createprocessasuser-session-0-isolation-and-o

    Incorrect. GUI session doesn’t even exist for services. A GUI session on a Windows server is started if and only if a user logs on interactively to the server.
    and
    In Windows, you can’t use GDI from a web service, or any service. It is officially not supported.
    Both completely wrong Deaf Spy. Services under windows have what called session 0. Yes this is a GUI mode software only for services. Session 0 is a single graphical session share between all services say hell to cross isolation breach. So only security faults that depend on GPU drivers are disabled on windows services. Yes using gdi32.dll to draw stuff on in a service has been possible. Imagemagick on Windows running in php as part of iis web server on windows can be using gdi32.dll functions.

    In Linux, you can ImageMagick from a web service.
    Yes you can do the same from windows as well.

    This difference is a major pain when you wanting to have GPU accelerated services under windows.
    https://devblogs.nvidia.com/parallelforall/egl-eye-opengl-visualization-without-x-server/
    Difference Linux version of ImageMagick being run from a webservice can be using GPU acceleration where the Windows one is stuck to software rendering. Worst is ImageMagick is rending by using sections of gdi sections of session 0 under windows and if it breaks that system reboot. Services under windows are isolated from user actions but not from each other properly.

    Dr Loser Windows Server can be headless but its a Rare windows server that does not have some GDI and other graphical bits not being used in session 0. Even windows server core still has a software GDI supporting session 0.

    Dr Loser also years old flaw claims we know how old Linux flaws are because they are in fact back traced and released with information of the exact date they were added to the code base. Microsoft on the other hand does not do this instead just says apply patch to fix X issue. Some of the recent faults Windows has patched in core parts trace back to 1998. Issue about being traced back to when included in code base does not say it was known for all that time.

    However, it was not made public by researchers until July of 2015.
    Basically most of the lines like this come out of bad research. Most groups around Linux doing security research have a 90 day non release limit. Meaning 90 days after discovery the fault will be released. That group that found that fault and released it DrLoser has a 90 day non release limit. So a fault added in 2008 that took until 2015 to find. Still bad but in a different way. Different issue is faults remaining hidden for years says QA process and possibility security frameworks still need improvement that even Linux lead maintains admit is true. Basically when you find those security faults pays to check out who found it and their optional limits. Media is getting this wrong over and over again.

    Windows SysAdmins have no need of a GUI on their servers.
    Dr Loser define GUI. If GUI is the means to draw a Window all editions of Windows Server released have it in session 0. Linux on the other hand when they say GUI less applications can only draw text end of story. Ok some editions of Windows don’t have the means to display drawn window on session 0 to end user directly. Basically to claim no GUI on Windows servers requires hair splitting the term a particular way. GUI=Graphical User Interface. To claim windows service does not have a GUI is saying since all the code is there and Windows services can draw window does not count because it never displayed to the user unless user goes into session 0. Yes making the User part of the term critical. If you just look at Graphical Interface Services under windows always have that without question. Services under Linux may not have Graphical Interface at all.

    Imagemagick is used by different PHP web applications under Windows, Linux…. Yes Imagemagick also uses GDI32 and other graphical windows parts when on Windows and running as a service. So that open source program disproves the idea that windows services don’t have GUI access. Because if GUI access was not there particular sections of imagemagick would have to be written differently for service mode vs desktop mode under Windows.

    When Linux servers say GUI less there is nothing left to draw a graphical window in fact there can be nothing to access the GPU either.

    This graphical issue of Windows is why wine project under Linux without a X11 server fails to run particular windows services yet those services run perfectly when wine is running with X11. If windows servers were 100 percent not graphical more of them would be able to run under Wine.

  26. DrLoser wrote, “Do you know the difference between a statically linked library and a dynamically linked library?”

    Yep.

  27. DrLoser wrote, “What, precisely, do you fail to understand about this ridiculously simple correlation?”

    Uh, it’s a recent development in M$’s thinking.

  28. Dr Loser says:

    That “delegate” thing, Robert.

    You don’t actually have a clue what it implies, do you?

  29. Dr Loser says:

    In Linux, you can ImageMagick from a web service.

    When dealing with people whose basic IT comprehension is roughly around, or slightly below, the level of a Kindergartner, I think this obvious point needs reiterating.

  30. Dr Loser says:

    Certainly I have. There’s no need for X on a GNU/Linux terminal server unless you want to use it as an extra client. Also, I’ve set up servers that were just databases or storage, no need for a GUI either. The server that runs this site has no GUI. So, what is DrLoser nattering away about?

    Precisely the same thing that you were wittering on about, Robert. You have no need of a GUI on the Beast. (I’ll bet you run X-Windows on it anyway.) Windows SysAdmins have no need of a GUI on their servers.

    What, precisely, do you fail to understand about this ridiculously simple correlation?

  31. Dr Loser says:

    Now, obviously, you know more than I do about the insecurities of glibc, Robert.

    No, wait, did I claim “know more about?” I meant the other thing. Here’s an example, plucked more or less at random.

    The flaw affects all versions of glibc 2.9, meaning that the vulnerability has been around since at least 2008. However, it was not made public by researchers until July of 2015.

    Now, I am being as fair as I can possibly be when I describe this vulnerability as “picked out at random,” Robert.

    You are, of course, widely known in your local community — let us say, your own household — as a Linux Security expert.

    As such, Robert, I am going to ask you a direct question that as a Security Expert you can answer almost immediately.

    Do you know the difference between a statically linked library and a dynamically linked library?

  32. DeafSpy says:

    Running a GUI browser directly on the server, or
    â—¾Running GUI browsers directly on the server through Terminal Services, or
    â—¾just opening/displaying the file on the server.

    You have no idea about session isolation in Windows, esp. starting with Vista, don’t you?

  33. DeafSpy says:

    Robert, it is charming how you pretend not to understand.

    In Windows, you can’t use GDI from a web service, or any service. It is officially not supported.

    In Linux, you can ImageMagick from a web service.

    Is it so hard to grasp the difference?

  34. Dr Loser, wrote, of headless servers, “You’ve never dealt with one of these, have you, Robert?”

    Certainly I have. There’s no need for X on a GNU/Linux terminal server unless you want to use it as an extra client. Also, I’ve set up servers that were just databases or storage, no need for a GUI either. The server that runs this site has no GUI. So, what is DrLoser nattering away about?

  35. Dr Loser says:

    Have you any training in IT security at all, Robert?

    Because, if you have, I’d ask for your money back.

  36. Dr Loser says:

    Running a GUI browser directly on the server, or
    Running GUI browsers directly on the server through Terminal Services, or
    just opening/displaying the file on the server.

    Thrilling, Robert. All the more thrilling for the obvious fact that you have no evidence that this ever happened.

    And also thrilling because you are still blissfully ignorant of the point.

    The point being, this is (potentially) an exploit that will even work on a headless Linux server.

    Just in case you have missed this crucial difference, and without reference to Websters, let me define “headless servers” to you.

    Headless Server: A server computer on which all GUI functions have been disabled. (On some headless servers there will be a special account that re-enables GUI functions. Generally this special account is only available via direct cabling to a dumb terminal, or else controlled via a heavily locked-down VPN.)

    You’ve never dealt with one of these, have you, Robert?

    Guess what.

    I have.

  37. Dr Loser says:

    I beg some sort of leeway for repeating the following quote from Red Hat and Google. I beg leeway because (a) I am not in any way making a point about M$ security or otherwise and (b) this is actually a serious matter going forward with Da Cloudz.

    But these vendors aren’t actually in control of the containers that their users are deploying, let alone the underlying operating system powering these container deployments.

    Shades of chroot here. chroot was never the “silver security bullet” that its proponents insisted it was. (This is a common failure across all IT. I’m not being particular, here.)

    As deployments get more complex, the attack vector gets broader.

    1) Each individual container has to verify its own security
    2) … which is done via whichever version of whichever OS runs in that container
    3) … which is “verified” by the container host, via a scan
    4) … which can’t do much more than alert Dev-Ops to the fact that there is a problem.

    I’d like to see you get around that one with a simple apt-get, Robert.

  38. DrLoser wrote, “is equivalent to an ImageMagick vulnerability delivered to the server and deployed on the server via an update from a Web client exactly how, Robert?”

    • Running a GUI browser directly on the server, or
    • Running GUI browsers directly on the server through Terminal Services, or
    • just opening/displaying the file on the server.
  39. Dr Loser says:

    (“Upload” not “update.” Just to be clear.)

  40. Dr Loser says:

    ISTR that file was prevalent in M$’s server OS for ages.

    And is equivalent to an ImageMagick vulnerability delivered to the server and deployed on the server via an update from a Web client exactly how, Robert?

    You’ve got nothing. Nothing at all. You haven’t even taken the time to understand the problem.

  41. Dr Loser says:

    Easy. Don’t use SMB. It’s way to complex to be a secure networking protocol.

    And differs from OpenSSL (beloved progenitor of Heartbleed and Shellshock), how, Robert?

    Your snivelling explanation of the differences will no doubt be fascinating. Not least because SMB — oiaohm can correct me on this one — doesn’t actually feature the command-line exploits that caused Heartbleed or Shellshock.

  42. DrLoser wrote, “Do you have an M$ equivalent failure to that? No you do not.”

    “The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006.[1] Attacks using this vulnerability are known as WMF exploits.

    The vulnerability was located in gdi32.dll and existed in all versions of Microsoft Windows from Windows 3.0 to Windows Server 2003 R2. However, attack vectors only exist in NT-based versions of Windows (Windows NT, Windows 2000, Windows XP and Windows Server 2003). Exploits taking advantage of the vulnerability on Windows NT-based systems facilitated the propagation of various types of malware, typically through drive-by downloads.”

    See Windows Metafile vulnerability

    The file containing the vulnerability, “The gdi32.dll file is a valid dynamic link library file registered to Microsoft. The file gdi32.dll or Windows GDI Client DLL contains functions for the Windows GDI (Graphics Device Interface). This module of the Windows GDI assists windows in creating simple 2–dimensional objects.”, according to Google.

    ISTR that file was prevalent in M$’s server OS for ages. Arbitrary code execution just by uploading a file to the server. That’s shooting one’s own foot. Basically, M$ imported a vulnerability created in the time of 3.1 for Server 2003… Smart, eh?

  43. Dr Loser says:

    And gnawing further, I found this on more generic flaws in the way that GNU/Linux addresses “security by bumptious and completely unearned self-belief.”

    Yes, it’s a boring old GLibC buffer overrun exploit. Nothing new about that. Happens every other month or so.

    However, the interesting part here is the reaction to it by Red Hat (and Google) security mavens.

    To quote the first cite:

    “Who’s fixing containers?” Red Hat executives Josh Bressers and Gunnar Hellekson asked in their post. They noted that many Linux container vendors provide only security scanners to spot vulnerabilities like glibc. “But these vendors aren’t actually in control of the containers that their users are deploying, let alone the underlying operating system powering these container deployments.

    To quote the second cite,

    In short – in our view, container scanners are a paper tiger. Sure, they look fierce and they’ll roar to let you know that trouble’s on the way, but they fold like the paper that they’re made out of when you need them to do more than just…well…scan.

    Leave security to the (well remunerated and commercial) professionals, Robert. You’re all at sea on this one.

    Oh, and thanks for the suggestion of a brain-scan. Turns out I do indeed have one.

    Do you?

  44. Dr Loser says:

    It’s an issue that keeps gnawing away at me, though. After all, Robert, I have spent some Hard Yakka as a security professional — on a Solaris system, no less, none of your Redmond rubbish — and you have never done so, have no clue, and cannot even guess at the issues concerned.

    I’m sorry, Robert, but when it comes to security on a Linux server, your silly little mantra of “It’s all good! Chuckle” is basically a recipe for disaster.

    Anyway, it’s been gnawing away at me. So I thought I’d share one of the deeper links off your original cite.

    I won’t ask you if you understand what a “delegate” is, because I respect you too much to see you blather back with a definition from Websters in the 19th century. Suffice to say that this is an awesome list of self-crafted security vulnerabilities.

  45. Dr Loser says:

    You do remember that M$ supplied a GUI for its server OS and that it had the same core as the desktop OS with lots of hideous vulnerabilities including executable images, drive by infections, SMB vulns and the like?

    Not really the point at issue, Robert. This here (the vulnerability that your OP documents) is a current issue. The M$ issue has been fixed.

    And only a nincompoop (not all of them live in Manitoba) would run a server of any description with a GUI attached, unless the fire-wall was hugely locked down. Not even then, really.

    And the issue at hand, as I have pointed out, is that on all Linux server platforms, where ImageMagick is deployed, there is a potential threat to the server by a simple file uploaded from a random client over the Web.

    Do you have an M$ equivalent failure to that? No you do not.

  46. Deaf Spy wrote, “Explain how this Secure System, By Design, can mitigate or even avoid this particular attack vector.”

    Easy. Don’t use SMB. It’s way to complex to be a secure networking protocol. Use NFS and if that’s not secure enough, SSHFS. If you want to share files, share files. If you want to print, print. Don’t use a single protocol for both. While printing can be considered a file-transfer there’s way more hand-shaking and parameters involved so don’t use SMB for critical infrastructure.

  47. Deaf Spy says:

    Good. Accuse Windows, because there is nothing you can say to defend your precious pet OS. 🙂

    You do remember SMB, eh? Used by servers and clients.

    Within a local network. Are you sure you don’t confuse SMB with Small Business Server? 🙂

    Robert, please focus on the problem at hand. Linux is, famously, a Secure System, By Design. Explain how this Secure System, By Design, can mitigate or even avoid this particular attack vector.

  48. Deaf Spy wrote, “all the vulnerabilities you have in mind here are not applicable for server apps”.

    CVE-2006-0988
    “The default configuration of the DNS Server service on Windows Server 2003 and Windows 2000, and the Microsoft DNS Server service on Windows NT 4.0, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.”
    CVE-2016-0128
    “The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka “Windows SAM and LSAD Downgrade Vulnerability” or “BADLOCK.””

    and many others

    My favourite? CVE-2011-0661:
    “The SMB Server service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate fields in SMB requests, which allows remote attackers to execute arbitrary code via a malformed request in a (1) SMBv1 or (2) SMBv2 packet, aka “SMB Transaction Parsing Vulnerability.””

    You do remember SMB, eh? Used by servers and clients. Vulnerabilities coming out the wazoo…

  49. Deaf Spy says:

    You do remember that M$ supplied a GUI for its server OS and that it had the same core as the desktop OS…

    Correct, it still does.

    …with lots of hideous vulnerabilities including executable images, drive by infections, SMB vulns and the like?

    Incorrect. GUI session doesn’t even exist for services. A GUI session on a Windows server is started if and only if a user logs on interactively to the server. But, in Windows, sessions are isolated from one another and a service app cannot access a GUI session, even if the two run under the same user impersonation, which, btw, never happens, unless the system administrator is a total moron.

    You see, Robert, all the vulnerabilities you have in mind here are not applicable for server apps (windows services), because the GUI (GDI, DesktopManagement, DirectWrite, and DirectX) are not available and officially not supported for use under services.

    What a Windows service should use is WIC, or some other third-party framework.

  50. Sigh. Dr Loser wrote, “I, Dr Loser, cannot think of a single M$ exploit that allows the user to remotely attack a M$ server.”

    You do remember that M$ supplied a GUI for its server OS and that it had the same core as the desktop OS with lots of hideous vulnerabilities including executable images, drive by infections, SMB vulns and the like? Perhaps you should get a brain scan. This could be an early indication of Alzheimers.

  51. Dr Loser says:

    According to Slack security engineer Ryan Huber, “the exploit for this vulnerability is being used in the wild … The exploit is trivial, so we expect it to be available within hours,” and that the patches available right now are “incomplete.”

    Don’t even bother quoting your 1830s copy of Webster at me, Robert. We all know what “trivial” means, don’t we? It means “unimportant, uninteresting, not worthy of attention.”

    Except in this instance. In this instance, “trivial” is a place-holder for “ridiculously easy to exploit.”

  52. Dr Loser says:

    I’m not deeply into this particular attack vector right now, Robert — and I assume that you, as the future possessor of a World-Beating ARM Server, have done more due diligence than I — but let’s just start with baby steps, shall we?

    And yes, ImageMagick will execute the ls -l command embedded in the file. Replace that command with something more malicious, throw it at a vulnerable web app, and, well, you’ve probably broken a few laws.

    Now, The Register may have confused me. Perhaps this command executes on the client. (Rather unlikely unless the client is Posix-compatible.)

    But I’m guessing that this command executes on the server.

    1. Do you have a better guess?
    2. Why would anybody deploy such a broken tool? (Oh, I know, apt-get. Works like a dream. Or in this case a nightmare.)
    3. How long do you think it would take somebody, armed with the Four Freedoms, to find a dangerous way of using this security hole on a FLOSS system?
    4. Linux is, famously, a Secure System, By Design. Explain how this Secure System, By Design, can mitigate or even avoid this particular attack vector.

  53. Dr Loser says:

    Yes, well, this is all very interesting, Robert.

    Now, it doesn’t really matter what the procedure is to mitigate these problems right now. I’m sure it’s rock solid. (Well, something to do with rocks and brains, anyhow.)

    Any ideas on how to prevent this sort of thing being a nightmarish recurring issue for FLOSS in the future?

    Please share those ideas. You haven’t shared anything else under the Four Freedoms that is worthy of the price of admission. Now is your chance.

    I do find it interesting that according to The Register, it “may be possible…”

    … by feeding booby-trapped data – such as a poisoned selfie – to web services using ImageMagick … to execute malicious code on the website’s server.

    Now then.

    a) I don’t believe this for a minute.
    b) But if it were indeed possible, the “open” bit of FLOSS would make it much easier to do that.
    c) You, Robert Pogson, appear not to be remotely interested in this rather alarming prospect.
    d) I, Dr Loser, cannot think of a single M$ exploit that allows the user to remotely attack a M$ server.

    Again, Robert. Over to you for your sage and knowledgeable comments, what with you having run a massive server farm and all.

  54. oiaohm says:

    kurkosdr
    FYI, the Broadcom driver ships in the install ISO and is loaded automatically in Live mode, but not after you install the OS.
    Welcome to Broad-com License stupidity. Depends on your broadcom part how stupid.

    https://android.googlesource.com/platform/hardware/broadcom/wlan/+/gingerbread-mr4-release/bcm4329/firmware/LICENSE.TX
    this is one of the best of being a pure pain.

    2.1. License Grants. Subject to the terms and conditions of this Agreement,
    Broadcom hereby grants to Licensee a non-exclusive, non-transferable,
    royalty-free license (i) to use and integrate the Software in conjunction
    with any other software; and (ii) to reproduce and distribute the Software
    complete, unmodified and only for use with a Broadcom Product.

    LiveCD having it is because it design to work with Broadcom Products. Installing OS is not only for use with Broadcom products so it cannot be installed at that time. So if the user is not going to use the Broadcom product installing the firmware is also breach of license as well.

    Same clause prevent legally embedding Broadcom drivers into own install images of windows with a stack of other drivers to have a generic install disc because windows copies all embedded drivers on to machines that don’t have Broadcom hardware so breaking broadcom license.

    kurkosdr basically the Broadcom problem is not a FOSS problem. Its a Broadcom Licensing suxs at times problem it effects Windows and Linux deployments. Lets not blame FOSS for something that is in fact universally not caused by FOSS but a closed source licensing issue by some hardware vendors limiting install options on everyone. Other than the firmware part the all the other bits of the Broadcom licensed are under GPLv2 and in the Linux kernel these days. The bad bit is the hardware cannot fire up until the user approves and installs the firmware.

    Now if broadcom would relicense some of these firmwares things would be better.

    kurkosdr with Dosbox if they made it too simple to use places like gog would not be able to keep on reselling dos games and the like using it. Please note places like gog play for Dosbox development. If you are not paying for a FOSS project development you have no right really to expect it to suit your needs perfectly.

  55. kurkosdr says:

    You don’t believe that Broadcom owns the copyright then, eh? There are laws against copying certain stuff without permission. Let Broadcom give them permission and it will happen.

    This is the second thing in the FOSS world that always baffles me: The compulsive need to explain everything away, instead of admiting, “yes that sucks”.

    FYI, the Broadcom driver ships in the install ISO and is loaded automatically in Live mode, but not after you install the OS.

    That, however, is for a reason. Long file names and deep paths (unsupported by most DOS apps) of today, where people don’t save all stuff on their root folders, such action will be actually useless.
    Then ask the user if he wants to create a folder called “DOSstuff” inside Documents or whatever and offer to mount that as a C: drive. That’s what everybody does anyway, that’s what the wiki says, and what could be trivially done with some lines of code in DOSBox’s own autoexec.bat. Or even better with a first-run wizard (which of course some FOSSies despise because it makes their electronic toy less l33t)

  56. kurkosdr wrote, “there is no reason why Ubuntu shouldn’t load the proprietary Broadcom driver that drives the WiFi of my netbook automatically.”

    You don’t believe that Broadcom owns the copyright then, eh? There are laws against copying certain stuff without permission. Let Broadcom give them permission and it will happen.

  57. DeafSpy says:

    Generally, you have a valid point, Kurks.

    DOSBox doesn’t automatically map your drives into drive letters, even in the Windows version where the drives have already being mapped into letters by the OS and there would be no confusion.

    That, however, is for a reason. Long file names and deep paths (unsupported by most DOS apps) of today, where people don’t save all stuff on their root folders, such action will be actually useless. Consider that for other OSes you don’t even have drives in the same notion that mounting can be properly automated.

  58. kurkosdr says:

    Why aren’t those mitigations 1)already applied by the product when it’s installed and 2) distributed as part of an update for existing users?

    This is something in the FOSS world that always baffled me: Things that are trivial to automate are not automated, instead FOSSies think it’s a good idea to write “guides” and “tutorials” so users can do them manually.

    For example, there is no reason why Ubuntu shouldn’t load the proprietary Broadcom driver that drives the WiFi of my netbook automatically. But wait, there is a “tutorial” for it. Even the driver manager utility didn’t work, you have to do Terminal-Fu.

    Kodi (XBMC) for Android doesn’t automatically mount Internal Storage as a source, you have to manually guide the app there. Again, lack of a trivial automation makes the app confusing for users.

    DOSBox doesn’t automatically map your drives into drive letters, even in the Windows version where the drives have already being mapped into letters by the OS and there would be no confusion. Instead, you get dropped into a confusing Z: drive, no guidance whatsoever. You have to read a “tutorial” in the website, full of minutia details.

    And then of course there is the king of stupidity, avidemux, which defaults to the AVI container (remember that?) and “copy mode” for audio and video streams, even if the file you opened is an mp4. You have to manually switch the container to MP4, every single time. Why? How many lines of code would checking for that simple thing cost?

    FOSSies like to mock fun at freeware software or chinese software, but there is ONE thing I admire about the guys behind such software. They have the “it should Just Work” mentality. The software doesn’t require from you to know esoteric stuff about it or point you to tutorials on wikis.

Leave a Reply