What if I told you that using vulnerable Docker images can put you at significant and imminent risk of a command injection security vulnerability of hacking docker containers that use that vulnerable Docker image?
In this article, I’ll take you through a step-by-step process of container hacking, in which we will exploit a Node.js-based web application that uses a vulnerable, yet official, Docker base image for Node.js.
This is the command I have in my Wercker file to install imagemagick. Sudo apt-get update -y && sudo apt-get install -y imagemagick php5-imagick I've also used. Sudo apt-get update -y && sudo apt-get install -y imagemagick, but neither seem to work. Am I missing something to get ImageMagick working inside of a docker container?
Some transport examples are docker-daemon- if you still have Docker running locally and you want this image to be seen by Docker, docker- if you want to push the image to Docker API compatible remote registry. There are other transports that are not Docker-specific: oci, containers-storage, dir etc. 'How To' with Dave Page Episode 4: Install and Run #pgAdmin 4 on a #Docker #Container-. @cesc1989 It seems RMagick can't find an ImageMagick installation. Can you verify which version of ImageMagick you have installed with convert -version or identify -version? Also, please note, RMagick 4.0 and before do not support ImageMagick = 7. If you have ImageMagick 7, you can try our 4.1.0.rc2 gem. By technosoft2000. Updated 2 months ago. Docker image for Calibre Web, based on docker image of Alpine.
To demonstrate this vulnerability, I’m going to use an old Node.js runtime version with a Fastify application that resizes images to a specific size. The image resizing action works by offloading the work to the ImageMagick library, which provides a handy convert command-line tool.
ImageMagick is a set of programming language bindings and command line tools that are commonly used in web applications to process images, such as converting them from one image format to another, resizing, cropping, and more.
The unfortunate reality, however, is that ImageMagick has demonstrated many security vulnerabilities over the years, one of which is the famous ImageTragick vulnerability (CVE-2016-3714). This classifies itself as an Improper Input Validation, but proof of concept exploits have been available in the wild since 2016 which may lead to remote command injection.
This is a story of hacking containers not due to the lack of security best practices, or vulnerable dependencies of Node.js applications, but that of third-party open-source components which may exist in a Docker-based Node.js application.
Let’s start with the Docker image that bundles the Node.js application. To keep things simple, I will use a very lightweight Dockerfile setup:
Note that this Dockerfile doesn’t follow secure guidelines for building Docker images and it is only used for brevity. Check out our cheatsheet on 10 best practices to containerize Node.js web applications with Docker for security best practices.
The Fastify web application provides an
/upload path route that accepts file uploads, and executes a process,
/usr/bin/convert, with the uploaded image, in order to convert it to a given size and redirects the user to a success page.
The code actually uses a secure Node.js API for process execution, not allowing string concatenation.
Is it a good practice to spawn system shells and execute processes? Not really—at least not with good justification. If this is a Node.js worker process consuming from a queue or being fed by a job scheduler then it probably fits this use case.
But who are we to judge if a similar use case was demoed live in Google I/O 2017 event?
I started with importing the project to Snyk, which automatically picks up the supported manifest files, in my case these are the application’s package.json and Dockerfile.
You can see that even with the latest version of the Node.js 6 image (node:6-stretch) there are 866 security vulnerabilities that exist by default in the container image. Luckily, we use Snyk, and it recommends us various alternate base image upgrades that can improve the security of the application in at least two different ways:
Let’s turn that ImageTragick security vulnerability in the version of ImageMagick that exists in the container image, into a remote command injection attack.
The exploit makes use of specially crafted image files that bypass the parsing functionality of a delegates feature in the ImageMagick library. This capability of ImageMagick executes system commands that are associated with instructions inside the image file. Escaping from the expected input context allows an attacker to inject system commands.
This git repository includes proof-of-concept exploit for a remote command execution with a netcat download to achieve a reverse shell in distributions that do not bundle netcat by default (such as Debian wheezy).
Here is what the proof-of-concept payload in the image file
rce1.jpg looks like:
The image file here is in the user’s control, and as such, a malicious attacker could create that payload, which executes a command supported by UNIX-like operating systems to create an empty file—in this case,
Once the container image is built, we can run it:
Our plain and simple web application allows us to upload a file:
When we hit the Resize button to process the
rce1.jpg file, it will trigger the command injection.
Let’s connect to the running Docker container application to validate this attack. As we can see, a new file named
rce1.jpg was created in the root directory of the Node.js application:
I’m sure you aren’t overly surprised regarding the number of security vulnerabilities that are prominent across various Docker images. Neither are we, given the fact that we observed that the top 10 Docker images on Docker Hub contained security vulnerabilities, as presented in our State of Open Source Security report.
The attack we demonstrated here completely bypasses all secure coding conventions and goes beyond the security of the Node.js runtime or the open source node modules dependencies that the application bundles. This really emphasizes the need to secure your Docker images. Snyk was created to do just that!
By highlighting prioritized vulnerabilities, Snyk provides you with remediation advice in the form of other base images you can switch to:
If you’d like to re-create the attack step-by-step you are welcome to follow the README instructions in the open source repository which also details how to perform a remote reverse shell attack, based on this ImageTragick vulnerability.
Whether your Dockerized application project’s repositories are open source or private, you can use the Snyk free tier to test and fix known security vulnerabilities in your Docker images. Scan and fix your Node.js applications too while you’re at it!
Please note that the Dockerfile presented here, and in the accompanying open-source repository, is not recommended due to a lack of security practices. Instead, find some valuable Docker security practices to work with, in the following blog posts:
Using a Docker & Imagemagick bundle to replace Photoshop for resizing and optimizing bunch of images is not totally irrelevant. Why that? Besides the fact that It gave you the insurance to execute properly a repetitive task, it has several benefits that I listed. I am not talking about an advanced usage made, for instance, by a web designer. The subject of this post is managing thousand of images, that is key in a digital workflow. This is one of the most time-consuming charges in the content creation workload. On my own, I made a real Spike on that subject!
For those who ignore what a Spike in Scrum? Here is a quick definition:
“Spikes are an invention of Extreme Programming (XP), are a special type of user story that is used to gain the knowledge necessary to reduce the risk of a technical approach, better understand a requirement, or increase the reliability of a story estimate. A spike has a maximum time-box size as the sprint it is contained in it. At the end of a sprint, the spike will be determined that is done or not-done just like any other ordinary user story. A Spike is a great way to mitigate risks early and allows the team ascertain feedback and develop an understanding on an upcoming PBI’s complexity.”
Some benefits to move from Photoshop to Docker/Imagemagick.
So, how can batch image processing can reduce this creation process from hours to just a few simple clicks? For this tedious task, why don’t we try to replace Photoshop by a bundle with Imagemagick & Docker? This is the subject of this post.
The user story will be: As an editor, journalist, contributor, I focus only on the image editorial choice and with the help of a bulk processing, a script runs to convert the images into the right format for publishing.I had always this idea somewhere in my mind to leverage on Imagemagick and Docker to batch this image treatment an give a workable alternative to Photoshop.
In my github, you will find even more, a tiny manual written when I was in Zambia, 3 additional use cases and a bunch of Youtube video. I am not cheating you!
Inevitably other people, more experienced in development than I am, thought about this topic. So, my sole quest was to pull a docker image that already exist containing Imagemagick.
This docker image will be the “base” for industrialization work for resizing and optimization images. This is also a “killing two birds with one stone” operation as it will de facto standardize usages and practices for any member of the editorial team and ease the support pain.
This is a very simple decision criterion which militates for the choice of the Docker and Imagemagick tandem. This criterion is very simple, imagine that you must equip each computer with a Photoshop license or any software and possibly provide training, in short, this is inflation guaranteed.
Another advantage, using the Docker and Imagemagick tandem will prevent you from buying, installing, training and support each user with a specific software like Photoshop or Gimp even though Gimp is free. A true nightmare.
However, let’s go back to the original need: preparing images for a web or mobile publication, it is mainly to select and then resize the image that match editorially with your content and fit you applications (website, mobile application…).
In a practical way, working images is essentially to export images at the right settings (72 dpi, format 16/9 or 4/3, correct filename…) and the rest we do not give a f…
Implementing D&I (Docker & Imagemagick) will accidentally also cut down the whining refrains from anyone such as “My computer is too slow”, “I am not trained”, “I do not have the license”, “Selecting image is part of my job but not the resizing and the optimizing”… so many popular refrains whose intensity is multiplied by ten due to lockdown.
Listing the benefits can only motivate you to adopt this solution. By the way, you can pretend it is DevOps but at the very first place, it is common sense.
Frankly, I do not understand why on both side there is so much misunderstanding. I am about to believe that people are “stupid” when they reach their point incompetence?
On one side, DevOps do not think about such evolution. Maybe because they ignore everything on content creation workflow. On the other side, Editorial team do not dare to ask for such tool because they basically ignore that there is a possible alternative to Photoshop for instance. Anyway, no collaboration, no smart evolution, just an incredible mess that generate endless errors and support tickets! What a waste of time!
Lockdown spotlight with cruelty the lack of common understanding. You may find this conclusion bitter but unfortunately it seems to be true.
I quote this post in my sister’s blog that summarize this impression during the lockdown.
“Another thing also jumps out at us: the amazing social uselessness of certain professions. Marketer, advisor, financier, manager, and so on. When I think that we have not even realized that these auxiliary services of our sophisticated economy were at a standstill. Neoliberalism will therefore have succeeded where communism had failed: employing lots of people to do unnecessary things!”
Like said Peter Drucker: “There is surely nothing quite so useless as doing with great efficiency what should not be done at all.”
Time to think is over, no kidding!
These are the main commands for exploring Imagemagick and Docker. Don’t forget to start Docker before.
1. Install Imagemagick and Docker
1. resize with -resize 100×100 that force to resize
2. resize with 400x on with and the height is proportional
3. resize with 600x on with and the height is proportional
4. resize to 50%
Conclusion: Indeed, it is a strong move and a bold decision to go for Imagemagick & Docker (I & D). First, it does NOT mean that you have to renounce to Photoshop. Just focus on cracking down in micro tasks your conditioning images working workflow and expel most boring, tedious and repetitive actions to this I & D environment using programming to perform its.
Last but not least, it supposes also that the DevOps you are working with have understood your automation needs that is may be the most difficult part of the program!