Jack of all Formats<br />Daniel “unicornFurnace” Crowley<br />Penetration Tester, Trustwave - SpiderLabs<br />
Introductions<br />How can files be multiple formats?<br />Why is this interesting from a security perspective?<br />What ...
Terms<br />File piggybacking<br />Placing one file into another<br />File consumption<br />Parsing a file and interpreting...
Scope of this talk<br />Files which can be interpreted as multiple formats<br />…with at most a change of file extension<b...
Files with multiple formats<br />How to piggyback files<br />
File format flexibility<br />Not always rigidly defined<br />From the PDF specification:“This standard does not specify th...
File format flexibility<br />Some data can be interpreted multiple ways<br />Method of file consumption often determined b...
7zip file with junk data at the beginning<br />
7zip file with junk data at the beginning<br />
Multiple file extensions<br />Apache has:<br />Languages<br />Handlers<br />MIME types<br />File.en.php.png<br />Basename–...
Metadata<br />Information about the file itself<br />Not always parsed by the file consumer<br />“Comment”fields, few rest...
Metadata – GIF comment<br />
Metadata – GIF comment<br />
Unreferenced blocks of data<br />Certain formats define resources with offsets and sizes<br />Unmentioned parts of the fil...
Unreferenced PDF object<br />PDF xref table, lists object offsets in the file<br />We first remove one reference<br />Next...
Unreferenced PDF object<br />…with a 7zip file.<br />
PDF / 7Z opened as a PDF<br />
PDF / 7Z opened as a 7Z<br />
Start/End markers<br />Many formats use a magic byte sequence to denote the beginning of data<br />Similarly, many have on...
Start/End markers<br />JPEG<br />Start marker: 0xFFD8<br />End marker: 0xFFD9<br />RAR<br />Start marker: 0x526172211A0700...
A WinRAR is you!<br />
A WinRAR is also JPEG!<br />
Limitations<br />Some formats use absolute offsets<br />They must be placed at start of file or offsets must be adjusted<b...
Limitations<br />Some files are simply parsed from start to end<br />Such files require some metadata, unreferenced space,...
TrueCrypt volumes<br />No start/end markers<br />No publicly known signature<br />Parsed from start of file to end of file...
TrueCrypt volumes<br />
Security Implications<br />Reasons why file piggybacking must be considered<br />
Security Implications<br />File upload pwnage<br />Checking for well-formed images doesn’t prevent backdoor upload<br />An...
Security Implications<br />Multiple file consumers<br />Different programs may interpret the file in different ways<br />G...
File upload pwnage<br />Imagine a Web-based image upload utility<br />It confirms that the uploaded file is a valid JPEG<b...
Anti-Virus evasion exercise<br />Check detection rates on Win32 netcat<br />Place it in an archive and check<br />Put junk...
Check detection rates on netcat<br />
Archive netcat and check again<br />
Add junk at the beginning of the file<br />
Piggyback the archive onto a JPEG<br />
Change the extension to .jpg<br />
Guess what this is?<br />
Data Infiltration<br />Take the previous example of a 7z attached to a JPEG<br />This will bypass lots of AV<br />Maybe al...
Data Exfiltration<br /><ul><li>DLP will generally look for:
Type of files being communicated
Content of traffic
Communication properties
These techniques allow for covert channels
With wide bandwidth
With some plausible deniability
In files which are
Ordinarily harmless
Upcoming SlideShare
Loading in...5
×

Dan Crowley - Jack Of All Formats

1,532
-1

Published on

Published in: Technology, Art & Photos
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,532
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Here we have placed the string “test\\n” in front of a valid 7zip file.
  • Given that the file doesn’t start with the 7zip start marker and instead begins with plaintext and a newline, the UNIX ‘file’ utility misinterprets it as a data file. p7zip, on the other hand, begins its interpretation of the file starting at the 7zip header. This results in the file still being a valid 7zip archive.
  • Here, while saving a GIF in GIMP, we write a PHP backdoor into a comment. This will be mostly ignored when parsing the file as an image, but as PHP only interprets code between its start and end markers “&lt;?php” and “?&gt;”, the image data will not affect the execution of the script.
  • The backdoor is written directly into the file.
  • Here is the combination PDF and 7zip file we’ve created, opened as a PDF.
  • Then, we change the file extension (though this actually should be unnecessary) and list the contents of the embedded 7zip archive.
  • This is a JPEG file. It looks ordinary and parses correctly.
  • When we interpret the same file as a RAR archive, we find that we have a valid archive, too! This RAR archive was simply appended to the end of our original JPEG. While it is possible to append a RAR to the end of a JPEG and get a file which opens as either format, it is not possible to append a JPEG to the end of a RAR and achieve the same results. This is due to the use of absolute offsets in the JPEG format which must be adjusted to point to the correct resources.
  • Before the fix was put in place, it was fairly commonplace to see book sharing threads on 4chan, where people appended rar files containing ebook versions of books to jpegs of book covers for the appropriate book. People could download the jpegs, change the extension to .rar, and get an ebook of the book mentioned.
  • Dan Crowley - Jack Of All Formats

    1. 1. Jack of all Formats<br />Daniel “unicornFurnace” Crowley<br />Penetration Tester, Trustwave - SpiderLabs<br />
    2. 2. Introductions<br />How can files be multiple formats?<br />Why is this interesting from a security perspective?<br />What can we do about it?<br />(yodawg we heard you like files so we put files in your files)<br />
    3. 3. Terms<br />File piggybacking<br />Placing one file into another<br />File consumption<br />Parsing a file and interpreting its contents<br />
    4. 4. Scope of this talk<br />Files which can be interpreted as multiple formats<br />…with at most a change of file extension<br />Covert channels<br />Through use of piggybacking<br />Examples are mostly Web-centric<br />Only because it’s my specialty<br />This concept applies to more than Web applications<br />Srsly this applies to more than Web applications<br />GUYS IT’S NOT JUST WEB APPS<br />
    5. 5. Files with multiple formats<br />How to piggyback files<br />
    6. 6. File format flexibility<br />Not always rigidly defined<br />From the PDF specification:“This standard does not specify the following:……methods for validating the conformance of PDF files or readers…”<br />Thank you Julia Wolf for “OMG WTF PDF”<br />CSV comments exist but are not part of the standard<br />Not all data in a file is parsed<br />Metadata<br />Unreferenced blocks of data<br />Data outside start/end markers<br />Reserved, unused fields<br />
    7. 7. File format flexibility<br />Some data can be interpreted multiple ways<br />Method of file consumption often determined by:<br />File extension<br />Multiple file extensions may result in multiple parses<br />Bytes at beginning of file<br />First identified file header<br />
    8. 8. 7zip file with junk data at the beginning<br />
    9. 9. 7zip file with junk data at the beginning<br />
    10. 10. Multiple file extensions<br />Apache has:<br />Languages<br />Handlers<br />MIME types<br />File.en.php.png<br />Basename– largely ignored<br />File.en.php.png<br />Language – US English<br />File.en.php.png<br />Triggers PHP handler<br />File.en.php.png<br />Triggers image/png MIME type<br />
    11. 11. Metadata<br />Information about the file itself<br />Not always parsed by the file consumer<br />“Comment”fields, few restrictions on data<br />Files can be inserted into comment fields for one format<br />ID3 tags for mp3 files will be shown in players<br />But not usually interpreted<br />
    12. 12. Metadata – GIF comment<br />
    13. 13. Metadata – GIF comment<br />
    14. 14. Unreferenced blocks of data<br />Certain formats define resources with offsets and sizes<br />Unmentioned parts of the file are ignored<br />Other files can occupy unmentioned space<br />Other formats indicate a total size of data to be parsed<br />Any additional data is ignored<br />Other files can simply be appended<br />
    15. 15. Unreferenced PDF object<br />PDF xref table, lists object offsets in the file<br />We first remove one reference<br />Next, we replace part of that object’s content…<br />
    16. 16. Unreferenced PDF object<br />…with a 7zip file.<br />
    17. 17. PDF / 7Z opened as a PDF<br />
    18. 18. PDF / 7Z opened as a 7Z<br />
    19. 19. Start/End markers<br />Many formats use a magic byte sequence to denote the beginning of data<br />Similarly, many have one to denote the end of data<br />Data outside start/end markers is ignored<br />Files can be placed before or after such markers<br />Files must not contain conflicting markers<br />
    20. 20. Start/End markers<br />JPEG<br />Start marker: 0xFFD8<br />End marker: 0xFFD9<br />RAR<br />Start marker: 0x526172211A0700<br />PDF<br />Start marker: %PDF<br />End marker: n%%EOFn (r and rn can replace n)<br />PHP<br />Start marker: <?php<br />End marker: ?><br />
    21. 21. A WinRAR is you!<br />
    22. 22. A WinRAR is also JPEG!<br />
    23. 23. Limitations<br />Some formats use absolute offsets<br />They must be placed at start of file or offsets must be adjusted<br />Examples: JPEG, BMP, PDF<br />Some have headers which indicate the size of each resource to follow<br />Such files are usually easy to work with<br />Other files can be appended without breaking things<br />Examples: RAR<br />
    24. 24. Limitations<br />Some files are simply parsed from start to end<br />Such files require some metadata, unreferenced space, or data which can be manipulated to have multiple meanings<br />Different parsers for the same format operate differently<br />Might implement different non-standard features<br />May interpret format of files in different ways<br />
    25. 25. TrueCrypt volumes<br />No start/end markers<br />No publicly known signature<br />Parsed from start of file to end of file<br />No metadata fields<br />No unused space<br />Data is difficult to manipulate<br />
    26. 26. TrueCrypt volumes<br />
    27. 27. Security Implications<br />Reasons why file piggybacking must be considered<br />
    28. 28. Security Implications<br />File upload pwnage<br />Checking for well-formed images doesn’t prevent backdoor upload<br />Anti-Virus evasion<br />Some AV detect file format being scanned then apply format specific rules<br />If file is multiple formats the wrong rules might be applied<br />Data infiltration/exfiltration<br />Do you care what .mp3 files pass in and out of your network?<br />How about .exe and .doc files?<br />
    29. 29. Security Implications<br />Multiple file consumers<br />Different programs may interpret the file in different ways<br />GIFAR issue<br />Parasitic storage<br />How many file uploads allow only valid images?<br />Disk space exhaustion DoS<br />Some image uploads limit uploads by picture dimensions<br />Size of the file may not actually be checked<br />
    30. 30. File upload pwnage<br />Imagine a Web-based image upload utility<br />It confirms that the uploaded file is a valid JPEG<br />It doesn’t check the file extension<br />It uploads the file into the Web root<br />It doesn’t set the permissions to disallow execution<br />Code upload is possible if the file is also a valid JPEG<br />This isn’t hard…<br />
    31. 31. Anti-Virus evasion exercise<br />Check detection rates on Win32 netcat<br />Place it in an archive and check<br />Put junk data at the beginning of the file and check<br />Piggyback the archive onto the end of a JPEG and check<br />Change the file extension to .JPG and check<br />
    32. 32. Check detection rates on netcat<br />
    33. 33. Archive netcat and check again<br />
    34. 34. Add junk at the beginning of the file<br />
    35. 35. Piggyback the archive onto a JPEG<br />
    36. 36. Change the extension to .jpg<br />
    37. 37. Guess what this is?<br />
    38. 38. Data Infiltration<br />Take the previous example of a 7z attached to a JPEG<br />This will bypass lots of AV<br />Maybe also IDS/IPS<br />Haven’t tested it<br />
    39. 39. Data Exfiltration<br /><ul><li>DLP will generally look for:
    40. 40. Type of files being communicated
    41. 41. Content of traffic
    42. 42. Communication properties
    43. 43. These techniques allow for covert channels
    44. 44. With wide bandwidth
    45. 45. With some plausible deniability
    46. 46. In files which are
    47. 47. Ordinarily harmless
    48. 48. Frequently passed
    49. 49. Without breaking the piggybacked files’ usability</li></li></ul><li>Parasitic storage<br /><ul><li>Certain sites allow for file upload of specific formats</li></ul>File piggybacking essentially removes this limitation<br /><ul><li>This technique has been used on 4chan (now fixed)</li></ul>Book sharing threads<br />LOIC distribution<br />CP distribution<br /><ul><li>Still works on ImagesHack.Us
    50. 50. Browsers automagically download images
    51. 51. What if those images are also malware?
    52. 52. Now all you need to do is figure out how to execute it…</li></li></ul><li>Multiple File Consumers<br /><ul><li>GIFAR issue
    53. 53. JAR appended to the end of a GIF
    54. 54. Browser loads the GIF
    55. 55. Old versions of JVM would recognize AND RUN the JAR
    56. 56. Apache handling “file.en.php.png”
    57. 57. Passes file to PHP for preprocessing
    58. 58. Serves resulting output with
    59. 59. a US english charset
    60. 60. MIME type of “image/png”</li></li></ul><li>Disk Space Exhaustion DoS<br /><ul><li>Imagine a file upload utility
    61. 61. It allows the upload of only 1x1 images
    62. 62. For disk space reasons
    63. 63. Append 2GB of junk onto the end of a 1x1 image
    64. 64. ???
    65. 65. NO DISK SPACE!!!
    66. 66. Checking properties of the file format may not be sufficient</li></li></ul><li>Protections<br />What can we do about this?<br />
    67. 67. File upload with code<br /><ul><li>Don’t upload in the Web root
    68. 68. Don’t use the user’s filename
    69. 69. Don’t set the perms to executable
    70. 70. Don’t trust file properties
    71. 71. Allow only one extension
    72. 72. Allow only known good extensions</li></li></ul><li>Anti-virus Evasion<br /><ul><li>We could:
    73. 73. Check for all valid file headers
    74. 74. Performance hit
    75. 75. Apply all signatures/heuristics globally
    76. 76. Big freakin’ performance hit
    77. 77. Identify by behavior
    78. 78. This doesn’t work on gateway AV</li></li></ul><li>Disk Space Exhaustion<br /><ul><li>Don’t just check properties from the expected format
    79. 79. Nuff said</li></li></ul><li>Parasitic storage<br />Don’t upload files?<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×