This document discusses how files can contain data in multiple formats by piggybacking one file type into another. It provides examples of how files like JPEGs, PDFs, and GIFs can sometimes contain additional hidden data like archives, scripts, or documents. This technique could allow for covert channels, bypass of security tools like antivirus, and denial of service attacks if file size limits are not properly enforced. The document recommends defenses like validating the full file contents and allowed extensions for file uploads to prevent abuse of this flexibility in file formats.

1. Jack of all FormatsDaniel “unicornFurnace” CrowleyPenetration Tester, Trustwave - SpiderLabs

2. IntroductionsHow can files be multiple formats?Why is this interesting from a security perspective?What can we do about it?(yodawg we heard you like files so we put files in your files)

3. TermsFile piggybackingPlacing one file into anotherFile consumptionParsing a file and interpreting its contents

4. Scope of this talkFiles which can be interpreted as multiple formats…with at most a change of file extensionCovert channelsThrough use of piggybackingExamples are mostly Web-centricOnly because it’s my specialtyThis concept applies to more than Web applicationsSrsly this applies to more than Web applicationsGUYS IT’S NOT JUST WEB APPS

5. Files with multiple formatsHow to piggyback files

6. File format flexibilityNot always rigidly definedFrom the PDF specification:“This standard does not specify the following:……methods for validating the conformance of PDF files or readers…”Thank you Julia Wolf for “OMG WTF PDF”CSV comments exist but are not part of the standardNot all data in a file is parsedMetadataUnreferenced blocks of dataData outside start/end markersReserved, unused fields

7. File format flexibilitySome data can be interpreted multiple waysMethod of file consumption often determined by:File extensionMultiple file extensions may result in multiple parsesBytes at beginning of fileFirst identified file header

8. 7zip file with junk data at the beginning

9. 7zip file with junk data at the beginning

10. Multiple file extensionsApache has:LanguagesHandlersMIME typesFile.en.php.pngBasename– largely ignoredFile.en.php.pngLanguage – US EnglishFile.en.php.pngTriggers PHP handlerFile.en.php.pngTriggers image/png MIME type

11. MetadataInformation about the file itselfNot always parsed by the file consumer“Comment”fields, few restrictions on dataFiles can be inserted into comment fields for one formatID3 tags for mp3 files will be shown in playersBut not usually interpreted

12. Metadata – GIF comment

13. Metadata – GIF comment

14. Unreferenced blocks of dataCertain formats define resources with offsets and sizesUnmentioned parts of the file are ignoredOther files can occupy unmentioned spaceOther formats indicate a total size of data to be parsedAny additional data is ignoredOther files can simply be appended

15. Unreferenced PDF objectPDF xref table, lists object offsets in the fileWe first remove one referenceNext, we replace part of that object’s content…

16. Unreferenced PDF object…with a 7zip file.

17. PDF / 7Z opened as a PDF

18. PDF / 7Z opened as a 7Z

19. Start/End markersMany formats use a magic byte sequence to denote the beginning of dataSimilarly, many have one to denote the end of dataData outside start/end markers is ignoredFiles can be placed before or after such markersFiles must not contain conflicting markers

20. Start/End markersJPEGStart marker: 0xFFD8End marker: 0xFFD9RARStart marker: 0x526172211A0700PDFStart marker: %PDFEnd marker: \n%%EOF\n (\r and \r\n can replace \n)PHPStart marker: <?phpEnd marker: ?>

21. A WinRAR is you!

22. A WinRAR is also JPEG!

23. LimitationsSome formats use absolute offsetsThey must be placed at start of file or offsets must be adjustedExamples: JPEG, BMP, PDFSome have headers which indicate the size of each resource to followSuch files are usually easy to work withOther files can be appended without breaking thingsExamples: RAR

24. LimitationsSome files are simply parsed from start to endSuch files require some metadata, unreferenced space, or data which can be manipulated to have multiple meaningsDifferent parsers for the same format operate differentlyMight implement different non-standard featuresMay interpret format of files in different ways

25. TrueCrypt volumesNo start/end markersNo publicly known signatureParsed from start of file to end of fileNo metadata fieldsNo unused spaceData is difficult to manipulate

26. TrueCrypt volumes

27. Security ImplicationsReasons why file piggybacking must be considered

28. Security ImplicationsFile upload pwnageChecking for well-formed images doesn’t prevent backdoor uploadAnti-Virus evasionSome AV detect file format being scanned then apply format specific rulesIf file is multiple formats the wrong rules might be appliedData infiltration/exfiltrationDo you care what .mp3 files pass in and out of your network?How about .exe and .doc files?

29. Security ImplicationsMultiple file consumersDifferent programs may interpret the file in different waysGIFAR issueParasitic storageHow many file uploads allow only valid images?Disk space exhaustion DoSSome image uploads limit uploads by picture dimensionsSize of the file may not actually be checked

30. File upload pwnageImagine a Web-based image upload utilityIt confirms that the uploaded file is a valid JPEGIt doesn’t check the file extensionIt uploads the file into the Web rootIt doesn’t set the permissions to disallow executionCode upload is possible if the file is also a valid JPEGThis isn’t hard…

31. Anti-Virus evasion exerciseCheck detection rates on Win32 netcatPlace it in an archive and checkPut junk data at the beginning of the file and checkPiggyback the archive onto the end of a JPEG and checkChange the file extension to .JPG and check

32. Check detection rates on netcat

33. Archive netcat and check again

34. Add junk at the beginning of the file

35. Piggyback the archive onto a JPEG

36. Change the extension to .jpg

37. Guess what this is?

38. Data InfiltrationTake the previous example of a 7z attached to a JPEGThis will bypass lots of AVMaybe also IDS/IPSHaven’t tested it

39. Data ExfiltrationDLP will generally look for:

40. Type of files being communicated

41. Content of traffic

42. Communication properties

43. These techniques allow for covert channels

44. With wide bandwidth

45. With some plausible deniability

46. In files which are

47. Ordinarily harmless

48. Frequently passed

49. Without breaking the piggybacked files’ usabilityParasitic storageCertain sites allow for file upload of specific formatsFile piggybacking essentially removes this limitationThis technique has been used on 4chan (now fixed)Book sharing threadsLOIC distributionCP distributionStill works on ImagesHack.Us

50. Browsers automagically download images

51. What if those images are also malware?

52. Now all you need to do is figure out how to execute it…Multiple File ConsumersGIFAR issue

53. JAR appended to the end of a GIF

54. Browser loads the GIF

55. Old versions of JVM would recognize AND RUN the JAR

56. Apache handling “file.en.php.png”

57. Passes file to PHP for preprocessing

58. Serves resulting output with

59. a US english charset

60. MIME type of “image/png”Disk Space Exhaustion DoSImagine a file upload utility

61. It allows the upload of only 1x1 images

62. For disk space reasons

63. Append 2GB of junk onto the end of a 1x1 image

64. ???

65. NO DISK SPACE!!!

66. Checking properties of the file format may not be sufficientProtectionsWhat can we do about this?

67. File upload with codeDon’t upload in the Web root

68. Don’t use the user’s filename

69. Don’t set the perms to executable

70. Don’t trust file properties

71. Allow only one extension

72. Allow only known good extensionsAnti-virus EvasionWe could:

73. Check for all valid file headers

74. Performance hit

75. Apply all signatures/heuristics globally

76. Big freakin’ performance hit

77. Identify by behavior

78. This doesn’t work on gateway AVDisk Space ExhaustionDon’t just check properties from the expected format

79. Nuff saidParasitic storageDon’t upload files?