Your SlideShare is downloading. ×
Dan Crowley - Jack Of All Formats
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Dan Crowley - Jack Of All Formats


Published on

Published in: Technology, Art & Photos

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Here we have placed the string “test\\n” in front of a valid 7zip file.
  • Given that the file doesn’t start with the 7zip start marker and instead begins with plaintext and a newline, the UNIX ‘file’ utility misinterprets it as a data file. p7zip, on the other hand, begins its interpretation of the file starting at the 7zip header. This results in the file still being a valid 7zip archive.
  • Here, while saving a GIF in GIMP, we write a PHP backdoor into a comment. This will be mostly ignored when parsing the file as an image, but as PHP only interprets code between its start and end markers “<?php” and “?>”, the image data will not affect the execution of the script.
  • The backdoor is written directly into the file.
  • Here is the combination PDF and 7zip file we’ve created, opened as a PDF.
  • Then, we change the file extension (though this actually should be unnecessary) and list the contents of the embedded 7zip archive.
  • This is a JPEG file. It looks ordinary and parses correctly.
  • When we interpret the same file as a RAR archive, we find that we have a valid archive, too! This RAR archive was simply appended to the end of our original JPEG. While it is possible to append a RAR to the end of a JPEG and get a file which opens as either format, it is not possible to append a JPEG to the end of a RAR and achieve the same results. This is due to the use of absolute offsets in the JPEG format which must be adjusted to point to the correct resources.
  • Before the fix was put in place, it was fairly commonplace to see book sharing threads on 4chan, where people appended rar files containing ebook versions of books to jpegs of book covers for the appropriate book. People could download the jpegs, change the extension to .rar, and get an ebook of the book mentioned.
  • Transcript

    • 1. Jack of all Formats
      Daniel “unicornFurnace” Crowley
      Penetration Tester, Trustwave - SpiderLabs
    • 2. Introductions
      How can files be multiple formats?
      Why is this interesting from a security perspective?
      What can we do about it?
      (yodawg we heard you like files so we put files in your files)
    • 3. Terms
      File piggybacking
      Placing one file into another
      File consumption
      Parsing a file and interpreting its contents
    • 4. Scope of this talk
      Files which can be interpreted as multiple formats
      …with at most a change of file extension
      Covert channels
      Through use of piggybacking
      Examples are mostly Web-centric
      Only because it’s my specialty
      This concept applies to more than Web applications
      Srsly this applies to more than Web applications
    • 5. Files with multiple formats
      How to piggyback files
    • 6. File format flexibility
      Not always rigidly defined
      From the PDF specification:“This standard does not specify the following:……methods for validating the conformance of PDF files or readers…”
      Thank you Julia Wolf for “OMG WTF PDF”
      CSV comments exist but are not part of the standard
      Not all data in a file is parsed
      Unreferenced blocks of data
      Data outside start/end markers
      Reserved, unused fields
    • 7. File format flexibility
      Some data can be interpreted multiple ways
      Method of file consumption often determined by:
      File extension
      Multiple file extensions may result in multiple parses
      Bytes at beginning of file
      First identified file header
    • 8. 7zip file with junk data at the beginning
    • 9. 7zip file with junk data at the beginning
    • 10. Multiple file extensions
      Apache has:
      MIME types
      Basename– largely ignored
      Language – US English
      Triggers PHP handler
      Triggers image/png MIME type
    • 11. Metadata
      Information about the file itself
      Not always parsed by the file consumer
      “Comment”fields, few restrictions on data
      Files can be inserted into comment fields for one format
      ID3 tags for mp3 files will be shown in players
      But not usually interpreted
    • 12. Metadata – GIF comment
    • 13. Metadata – GIF comment
    • 14. Unreferenced blocks of data
      Certain formats define resources with offsets and sizes
      Unmentioned parts of the file are ignored
      Other files can occupy unmentioned space
      Other formats indicate a total size of data to be parsed
      Any additional data is ignored
      Other files can simply be appended
    • 15. Unreferenced PDF object
      PDF xref table, lists object offsets in the file
      We first remove one reference
      Next, we replace part of that object’s content…
    • 16. Unreferenced PDF object
      …with a 7zip file.
    • 17. PDF / 7Z opened as a PDF
    • 18. PDF / 7Z opened as a 7Z
    • 19. Start/End markers
      Many formats use a magic byte sequence to denote the beginning of data
      Similarly, many have one to denote the end of data
      Data outside start/end markers is ignored
      Files can be placed before or after such markers
      Files must not contain conflicting markers
    • 20. Start/End markers
      Start marker: 0xFFD8
      End marker: 0xFFD9
      Start marker: 0x526172211A0700
      Start marker: %PDF
      End marker: n%%EOFn (r and rn can replace n)
      Start marker: <?php
      End marker: ?>
    • 21. A WinRAR is you!
    • 22. A WinRAR is also JPEG!
    • 23. Limitations
      Some formats use absolute offsets
      They must be placed at start of file or offsets must be adjusted
      Examples: JPEG, BMP, PDF
      Some have headers which indicate the size of each resource to follow
      Such files are usually easy to work with
      Other files can be appended without breaking things
      Examples: RAR
    • 24. Limitations
      Some files are simply parsed from start to end
      Such files require some metadata, unreferenced space, or data which can be manipulated to have multiple meanings
      Different parsers for the same format operate differently
      Might implement different non-standard features
      May interpret format of files in different ways
    • 25. TrueCrypt volumes
      No start/end markers
      No publicly known signature
      Parsed from start of file to end of file
      No metadata fields
      No unused space
      Data is difficult to manipulate
    • 26. TrueCrypt volumes
    • 27. Security Implications
      Reasons why file piggybacking must be considered
    • 28. Security Implications
      File upload pwnage
      Checking for well-formed images doesn’t prevent backdoor upload
      Anti-Virus evasion
      Some AV detect file format being scanned then apply format specific rules
      If file is multiple formats the wrong rules might be applied
      Data infiltration/exfiltration
      Do you care what .mp3 files pass in and out of your network?
      How about .exe and .doc files?
    • 29. Security Implications
      Multiple file consumers
      Different programs may interpret the file in different ways
      GIFAR issue
      Parasitic storage
      How many file uploads allow only valid images?
      Disk space exhaustion DoS
      Some image uploads limit uploads by picture dimensions
      Size of the file may not actually be checked
    • 30. File upload pwnage
      Imagine a Web-based image upload utility
      It confirms that the uploaded file is a valid JPEG
      It doesn’t check the file extension
      It uploads the file into the Web root
      It doesn’t set the permissions to disallow execution
      Code upload is possible if the file is also a valid JPEG
      This isn’t hard…
    • 31. Anti-Virus evasion exercise
      Check detection rates on Win32 netcat
      Place it in an archive and check
      Put junk data at the beginning of the file and check
      Piggyback the archive onto the end of a JPEG and check
      Change the file extension to .JPG and check
    • 32. Check detection rates on netcat
    • 33. Archive netcat and check again
    • 34. Add junk at the beginning of the file
    • 35. Piggyback the archive onto a JPEG
    • 36. Change the extension to .jpg
    • 37. Guess what this is?
    • 38. Data Infiltration
      Take the previous example of a 7z attached to a JPEG
      This will bypass lots of AV
      Maybe also IDS/IPS
      Haven’t tested it
    • 39. Data Exfiltration
      • DLP will generally look for:
      • 40. Type of files being communicated
      • 41. Content of traffic
      • 42. Communication properties
      • 43. These techniques allow for covert channels
      • 44. With wide bandwidth
      • 45. With some plausible deniability
      • 46. In files which are
      • 47. Ordinarily harmless
      • 48. Frequently passed
      • 49. Without breaking the piggybacked files’ usability
    • Parasitic storage
      • Certain sites allow for file upload of specific formats
      File piggybacking essentially removes this limitation
      • This technique has been used on 4chan (now fixed)
      Book sharing threads
      LOIC distribution
      CP distribution
      • Still works on ImagesHack.Us
      • 50. Browsers automagically download images
      • 51. What if those images are also malware?
      • 52. Now all you need to do is figure out how to execute it…
    • Multiple File Consumers
      • GIFAR issue
      • 53. JAR appended to the end of a GIF
      • 54. Browser loads the GIF
      • 55. Old versions of JVM would recognize AND RUN the JAR
      • 56. Apache handling “file.en.php.png”
      • 57. Passes file to PHP for preprocessing
      • 58. Serves resulting output with
      • 59. a US english charset
      • 60. MIME type of “image/png”
    • Disk Space Exhaustion DoS
      • Imagine a file upload utility
      • 61. It allows the upload of only 1x1 images
      • 62. For disk space reasons
      • 63. Append 2GB of junk onto the end of a 1x1 image
      • 64. ???
      • 65. NO DISK SPACE!!!
      • 66. Checking properties of the file format may not be sufficient
    • Protections
      What can we do about this?
    • 67. File upload with code
      • Don’t upload in the Web root
      • 68. Don’t use the user’s filename
      • 69. Don’t set the perms to executable
      • 70. Don’t trust file properties
      • 71. Allow only one extension
      • 72. Allow only known good extensions
    • Anti-virus Evasion
      • We could:
      • 73. Check for all valid file headers
      • 74. Performance hit
      • 75. Apply all signatures/heuristics globally
      • 76. Big freakin’ performance hit
      • 77. Identify by behavior
      • 78. This doesn’t work on gateway AV
    • Disk Space Exhaustion
      • Don’t just check properties from the expected format
      • 79. Nuff said
    • Parasitic storage
      Don’t upload files?