Server-Side Applications Sandboxing

Thu Feb 09 2017

A lot of server-side applications invoke command line utilities for different tasks. One of the attack vectors to our server application could be abusing of these command line utilities vulnerabilities. For example due to CVE-2016-3714 vulnerability it is possible to prepare malicious image file execute arbitrary code by passing this file to imagemagick.

Imagemagick supports dozens of file formats and specifications for some formats consist of hundreds of pages. It's very probable that new vulnerabilities will be found in future. Such vulnerabilities are not depend on language or framework used by our application. Usually imagemagick invoked not directly but with help of some intermiddiate library (gem minimagick in ruby, imagemagick module in node or Imagick class in PHP). Only the CVE-2016-3714 vulnerability compromise simultaneously plenty of applications like CMSes, forums, blogs, ecommerce sites i.e. sites that user submitted images processing required. If we could implement sandboxing for major libraries used for imagemagick wrapping we could fix similar vulnerabilities in future.

Sandboxing got momentum in browsers. Chrome and later other browsers switch to model where each page processed in a sandboxed process.

Sometimes containers are used for isolation of unsafe code but it is considered wrong.

Let's take other approach. There are linux utilities for sandboxing: bubblewrap and nsjail. Both of them are very easy to build and could be used by non-previliged user.

I will use nsjail application as an example.

You will need c compiler and make utility for building:

sudo apt-get install gcc make

And we will need imagemagick package:

sudo apt-get install imagemagick

Let's clone nsjail sources and build them:

git clone
pushd nsjail && make && popd
nsjail/nsjail -Mo -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -R /etc/alternatives/ -T /dev -B /home/andrew/out/ -R /home/andrew/in/ --keep_caps -- /usr/bin/convert /home/andrew/in/sample-large.jpg -resize 512x512 /home/andrew/out/thumbnail.jpg

We resize picture /home/andrew/in/sample-large.jpg into /home/andrew/out/thumbnail.jpg in this case.

In this article I used imagemagick as an example but similar approach could be used mitigate vulnerabilities in other applications that process user supplied data such as media files, archives or documents.

© Andrey Yatsyk