how do you guys test all of the potential PNG/JPG potential malware
payloads for all of the image viewers (10+ at least in the repositories)?

On #debian at Libera.chat IRC network they suggested it was up to the
upstream software sources to I guess....somehow???...test the awful binary formats possible that are out there...? That's a 900%responsibility and 900%dangerous for them to do that. There has got to be something we can do.
But who can risk it?

<div dir="ltr">how do you guys test all of the potential PNG/JPG potential malware payloads for all of the image viewers (10+ at least in the repositories)?<div><br></div><div>On #debian at Libera.chat IRC network they suggested it was up to the upstream
software sources to I guess....somehow???...test the awful binary formats possible that are out there...? That&#39;s a 900%responsibility and 900%dangerous for them to do that. There has got to be something we can do. But who can risk it?</div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Corey H wrote:

how do you guys test all of the potential PNG/JPG potential malware payloads

 
to check any file for potential malware you can use:
chkrootkit
rkhunter

but you can also try with:
binwalk <- detect/extract binary data in files
string <- to detect strings in the image/audio file
exiftool, exiv2 <- to detect metadata

but in image/audio file you can hide also information with steganography[¹] you can try with:
stegcracker
stegosuite
foremost

I have read that you can determine if an image file has hidden content or not, but I don't know if there is a software that do only this check. Probably with histogram analysis[²] you can find suspected altered files.
You can start read for steganalysis[³] and report here results.

Ciao
Davide

[¹] https://en.wikipedia.org/wiki/Steganography
[²] https://en.wikipedia.org/wiki/Image_histogram
[³] https://en.wikipedia.org/wiki/Steganalysis

--
My Privacy is None of Your Business
https://noyb.eu/it

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On #debian at Libera.chat IRC network they suggested it was up to the >upstream software sources to I guess....somehow???...test the awful binary >formats possible that are out there...?

I think whaf the person meant was that it's upstream who tries to mitigate bugs and create secure software. Some of them might test their viewer extensively for security too, eg with fuzzing or known bad images. Those developers often know how they
protect themselves. :)
But there always can be bugs in the application nonetheless.

Limiting that is difficult and complex, especially within GNU+Linux. You could use a MAC and also create a tight sandbox. You should probably use a viewer which is minimal (I think there's feh or sxiv which are quite small) too so that the sandbox is
more effective. Rebind the image read-only and use Wayland (eg sway or GNOME). Don't allow dbus if possible.
Some flatpak apps/image viewer have a bwrap sandbox already defined but I would assume they allow (read-only) access to /home, so I don't think this is what you want.
Also, I don't know if bwrap can limit network access.
Easier would probably to just use the browser to view an image. They are battle-tested in that regard.

In general though, security is a complex field. Even with a sandbox, there's still attack surface which includes the kernel. So use a virtual machine if you worry a lot.
Also there are various hardening steps you can employ to make exploitation and sandbox escape harder, but that gets a little more time consuming and complex and is probably out of scope here.

I'm not a security professional nor do I claim to know something about it, but maybe the above will help you. :)

Samtinel

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I feel like ClamAV would be the cheapest and easiest solution for
handling png and jpgs, But like Sebastian said it does depend on use
case. There are multiple av scanners/solutions but many are paid
services, I've been using clam av for my email setup and it feel like
it's been sufficient. You would need to enable png/jpeg extensions for
ClamAV if that would be your plan and some sort of sandboxed environment
for clamav/imagemagick iirc.


P.S I've just subscribed to this list, so please excuse me if i repeated
any information as I can't see this whole email thread.


 Shubo

On 6/20/2022 12:10 PM, Sebastian Rose wrote:

Davide Prina <Davide.Prina@null.net> writes:

Corey H wrote:

how do you guys test all of the potential PNG/JPG potential malware payloads

What's your use-case? As I'm not aware of an vector for GNU/Linux in
normal everyday use¹, I guess you host files for Windows clients?

Did anyone mention ClamAV already? If so, please ignore me (sorry for
not following closely...).

- Sebastian

¹ One can execute every file on GNU/Linux. But the attack is that
execution of a file, not the file (otherwise we'd have to consider `rm', `gpg', `scp', and many more malware, too).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Davide Prina <Davide.Prina@null.net> writes:

Corey H wrote:

how do you guys test all of the potential PNG/JPG potential malware payloads

What's your use-case? As I'm not aware of an vector for GNU/Linux in
normal everyday use¹, I guess you host files for Windows clients?

Did anyone mention ClamAV already? If so, please ignore me (sorry for
not following closely...).


- Sebastian


¹ One can execute every file on GNU/Linux. But the attack is that
execution of a file, not the file (otherwise we'd have to consider `rm',
`gpg', `scp', and many more malware, too).


--
As I was walking down Stanton Street early one Sunday morning, I saw a
chicken a few yards ahead of me. I was walking faster than the chicken,
so I gradually caught up. By the time we approached Eighteenth Avenue,
I was close behind. The chicken turned south on Eighteenth. At the
fourth house along, it turned in at the walk, hopped up the front steps,
and rapped sharply on the metal storm door with its beak. After a
moment, the door opened and the chicken went in.

(Linda Elegant in "True Tales of American Life")

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jun 20, 2022 at 06:10:45PM +0200, Sebastian Rose wrote:

how do you guys test all of the potential PNG/JPG potential malware payloads

What's your use-case? As I'm not aware of an vector for GNU/Linux in
normal everyday use¹, I guess you host files for Windows clients?

https://security-tracker.debian.org/tracker/source-package/imagemagick

If you're processing data (images, videos, audio files, etc) from
unknown sources, it's a really good idea to use sandboxing of some kind,
ensure that sandboxes are never reused, and to ensure that only the most minimal state possible (e.g. the output of the processing job) is
preserved after execution. The sandbox can use things like seccomp and apparmor to enforce containment. Linux namespaces are useful as well: A private network namespace that doesn't have access to the outside world,
a private mount namespace that has a unique root file system (ideally read-only), etc.

Containers, as implemented by podman, docker, and systemd-container can
help here by providing convenient interfaces to these process isolation
tools.

noah

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jun 20, 2022 at 09:25:38AM -0700, Noah Meyerhans wrote:

https://security-tracker.debian.org/tracker/source-package/imagemagick

If you're processing data (images, videos, audio files, etc) from
unknown sources, it's a really good idea to use sandboxing of some kind, ensure that sandboxes are never reused, and to ensure that only the most minimal state possible (e.g. the output of the processing job) is
preserved after execution. The sandbox can use things like seccomp and apparmor to enforce containment. Linux namespaces are useful as well: A private network namespace that doesn't have access to the outside world,
a private mount namespace that has a unique root file system (ideally read-only), etc.

Containers, as implemented by podman, docker, and systemd-container can
help here by providing convenient interfaces to these process isolation tools.

Sorry, hit send before I mean to. The above is all about protecting
against new, unknown issues for which the mitigation isn't known. For protection against known issues, of course, you should simply make sure
you're running up-to-date versions of all your software.

noah

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

(am I sending my emails right?? I selected "Reply All.")

how do you guys test all of the potential PNG/JPG potential malware

payloads

What's your use-case?

lol funny story.
I downloaded all of the github.com links ripped from the blackarch main
page (~8GB worth of repositories)
ANYWAYS

I wanted to see the pictures...............start with the fun stuff first, right?

So I went: `find -type f -name '*.png' -o -name '*.jpg' -exec cp -f '{}' $SOME_DIR \;`

hehe then I was like OMG what am I doing when I saw a image name called: Something like this:
Parser < 7.png
WHOA. my heart raced.
And I was like "I'm not ready for this."

So then I started imagining all of the stuff in those 1000+ PNG/JPG files
that I want to view with ristretto image viewer.
.....and I was like: No way. No freakin' way.
I deleted all of the image files and then all of the cloned github.com repositories.
NOT worth viewing.
I don't care if `file myfile.png` says "PNG file"
lol

On Mon, Jun 20, 2022 at 4:11 PM Sebastian Rose <sebastian_rose@gmx.de>
wrote:

Davide Prina <Davide.Prina@null.net> writes:

Corey H wrote:

how do you guys test all of the potential PNG/JPG potential malware payloads

What's your use-case? As I'm not aware of an vector for GNU/Linux in
normal everyday use¹, I guess you host files for Windows clients?

Did anyone mention ClamAV already? If so, please ignore me (sorry for
not following closely...).

- Sebastian

¹ One can execute every file on GNU/Linux. But the attack is that
execution of a file, not the file (otherwise we'd have to consider `rm', `gpg', `scp', and many more malware, too).

--
As I was walking down Stanton Street early one Sunday morning, I saw a chicken a few yards ahead of me. I was walking faster than the chicken,
so I gradually caught up. By the time we approached Eighteenth Avenue,
I was close behind. The chicken turned south on Eighteenth. At the
fourth house along, it turned in at the walk, hopped up the front steps,
and rapped sharply on the metal storm door with its beak. After a
moment, the door opened and the chicken went in.

(Linda Elegant in "True Tales of American Life")

<div dir="ltr"><div>(am I sending my emails right?? I selected &quot;Reply All.&quot;)</div><div dir="ltr">&gt;&gt; how do you guys test all of the potential PNG/JPG potential malware payloads<br>&gt;What&#39;s your use-case?<br><br>lol funny story.<br>I
downloaded all of the <a href="http://github.com">github.com</a> links ripped from the blackarch main page (~8GB worth of repositories)<br>ANYWAYS<br><br>I wanted to see the pictures...............start with the fun stuff first, right?<br><br>So I went: `
find -type f -name &#39;*.png&#39; -o -name &#39;*.jpg&#39; -exec cp -f &#39;{}&#39; $SOME_DIR \;`<br><br>hehe then I was like OMG what am I doing when I saw a image name called:<br>Something like this:<br>Parser &lt; 7.png<br>WHOA. my heart raced.<br>
And I was like &quot;I&#39;m not ready for this.&quot;<br><br>So then I started imagining all of the stuff in those 1000+ PNG/JPG files that I want to view with ristretto image viewer.<br>.....and I was like: No way. No freakin&#39; way.<br>I deleted all
of the image files and then all of the cloned <a href="http://github.com">github.com</a> repositories.<br>NOT worth viewing.<br>I don&#39;t care if `file myfile.png` says &quot;PNG file&quot;<br>lol<br></div><br><div class="gmail_quote"><div dir="ltr"
class="gmail_attr">On Mon, Jun 20, 2022 at 4:11 PM Sebastian Rose &lt;<a href="mailto:sebastian_rose@gmx.de">sebastian_rose@gmx.de</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,
204);padding-left:1ex">Davide Prina &lt;<a href="mailto:Davide.Prina@null.net" target="_blank">Davide.Prina@null.net</a>&gt; writes:<br>
&gt; Corey H wrote:<br>
&gt;<br>
&gt;&gt; how do you guys test all of the potential PNG/JPG potential malware payloads<br>

What&#39;s your use-case? As I&#39;m not aware of an vector for GNU/Linux in<br>
normal everyday use¹, I guess you host files for Windows clients?<br>

Did anyone mention ClamAV already? If so, please ignore me (sorry for<br>
not following closely...).<br>


 - Sebastian<br>


¹ One can execute every file on GNU/Linux. But the attack is that<br> execution of a file, not the file (otherwise we&#39;d have to consider `rm&#39;,<br>
`gpg&#39;, `scp&#39;, and many more malware, too).<br>


-- <br>
As I was walking down Stanton Street early one Sunday morning, I saw a<br> chicken a few yards ahead of me.  I was walking faster than the chicken,<br> so I gradually caught up.  By the time we approached Eighteenth Avenue,<br>
I was close behind.  The chicken turned south on Eighteenth.  At the<br> fourth house along, it turned in at the walk, hopped up the front steps,<br> and rapped sharply on the metal storm door with its beak. After a<br>
moment, the door opened and the chicken went in.<br>

                      (Linda Elegant in &quot;True Tales of American Life&quot;)<br>

</blockquote></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)