3

I am in the following situation : media files (image, audio, video) are uploaded from untrusted sources and made public to visitors.

What are the best pratices for handling these potentially malicious files before they are served to users (to reduce the risk of infecting them) ?

One option would be to scan them with antivirus, but 0-days exploits would go through unnoticed. I thought about re-encoding but the re-encoding software could be compromised too, so I doubt it will guarantee a clean output.

Is there any bulletproof way to scan these files for potentially red flags such as URL, DRM, scripts, binary, (anything else than pure media) content that I know have no reason to be included ?

Thanks !

msec24
  • 105
  • 3
  • 1
    Convert them to another format in a sandbox. – Polynomial Aug 19 '16 at 17:43
  • 2
    There is no bulletproof solution in security. 0 day attacks are impossible to guard against because you don't know what you're guarding against! My suggestion would be to see if you can find a trusted source for your images. – Limit Aug 19 '16 at 17:45

1 Answers1

2

There's no silver bullet for this, but the one reasonable approach is to convert all media into a canonical format in a sandboxed environment (e.g. a dedicated VM which is isolated externally and periodically restored to a known-good snapshot).

As an example, you might convert all videos to H.264 and AAC in an MPEG-4 container, using something like ffmpeg. You could also convert images to JPEGs and strip EXIF in the process using ImageMagick. The idea here is that corrupted files containing exploits would fail to convert, and any extraneous data would be stripped. Both of these packages would have to be kept up-to-date and you'd need to keep an eye on the bug trackers and release pages to ensure you're aware of common problems.

You can also run an antivirus solution to scan each video before attempting to re-encode it.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Thanks for confirming my thoughts, I hoped there would be a way to detect such content *before* re-encoding though – msec24 Aug 19 '16 at 18:36
  • 1
    @msec24 Sadly not. The problem is that you don't know what you're looking for until the vulnerability is known. At best you can try to validate the structure of a file to a set of known formats, but that's a big job and you have to consider non-compliant implementations of the formats and vendor-specific extensions (e.g. Photoshop's extended metadata). – Polynomial Aug 19 '16 at 20:08