The goal of this workshop is to illustrate how sandboxing can mitigate vulnerabilities. To showcase usefulness of sandboxing, we'll use an old and vulnerable version of ImageMagick which has long been fixed, but all kind of applications could still be impacted by similar vulnerabilities.
The CVE-2016-3714 vulnerability,
aka ImageTragick,
is caused by an insufficient shell characters filtering that can lead to (potentially remote) code execution.
Thanks to Landlock,
we'll restrict the convert tool's access rights before it can get exploited by opening a malicious file,
and then mitigate the impact of such vulnerability.
See the slides dedicated to this Landlock workshop.
For this workshop, we will use Vagrant to set up a dedicated virtual machine (VM). Run the following commands as root according to your Linux distribution.
pacman -S vagrant libvirt base-devel dnsmasq
systemctl enable --now libvirtd.serviceSee the Arch Linux libvirt tutorial for more details.
apt install --no-install-recommends vagrant qemu-utils ruby-libvirt ruby-dev libvirt-daemon-system qemu-systemSee the Debian KVM tutorial for more details.
dnf install vagrant qemu libvirt
systemctl enable --now virtnetworkdStart libvirtd if needed:
systemctl start libvirtd.serviceWe then need to allow the developer (an unprivileged user) to use libvirt thanks to a dedicated group:
usermod -a -G libvirt <user>This group update will take effect the next time the user logs in. Alternatively, the user can update a shell session with:
su $USERAs an unprivileged user, clone this repository:
git clone https://github.com/landlock-lsm/workshop-imagemagick
cd workshop-imagemagickThe Vagrant VM provisioning may install 2 vagrant plugins on the host system, other commands are executed in the VM. After plugins installation (if any) Vagrant may ask to execute the same command again to proceed the VM configuration:
vagrant upIf the Vagrant plugin installation failed because of a dependency issue, you might want to run this:
VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1 vagrant plugin install --localThis may download a VM image (~330 MB) and packages (~230 MB). After the download is complete, it should take less than 4 minutes to install and build the requirements. It is OK to see a lot of build warnings because the ImageMagick source code is old compared to the build tools.
A virbr network interface will be created. On most systems this should work as is, but otherwise we may need to allow inbound connections (and routing) from the loopback interface according to host's firewall rules.
Just in case...
vagrant snapshot pushvagrant sshOn the VM, run an ImageMagick command to test the attack:
convert /vagrant/exploit/malicious.mvg out.pngYou should see the VM's SSH private key.
On the host system, check if you can copy files from the VM:
vagrant scp :out.png .
xdg-open out.pngYou should see a white square.