Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Jack of all Formats<br />Daniel “unicornFurnace” Crowley<br />Penetration Tester, Trustwave - SpiderLabs<br />
Introductions<br />How can files be multiple formats?<br />Why is this interesting from a security perspective?<br />What ...
Terms<br />File piggybacking<br />Placing one file into another<br />File consumption<br />Parsing a file and interpreting...
Scope of this talk<br />Files which can be interpreted as multiple formats<br />…with at most a change of file extension<b...
Files with multiple formats<br />How to piggyback files<br />
File format flexibility<br />Not always rigidly defined<br />From the PDF specification:“This standard does not specify th...
File format flexibility<br />Some data can be interpreted multiple ways<br />Method of file consumption often determined b...
7zip file with junk data at the beginning<br />
7zip file with junk data at the beginning<br />
Multiple file extensions<br />Apache has:<br />Languages<br />Handlers<br />MIME types<br />File.en.php.png<br />Basename–...
Metadata<br />Information about the file itself<br />Not always parsed by the file consumer<br />“Comment”fields, few rest...
Metadata – GIF comment<br />
Metadata – GIF comment<br />
Unreferenced blocks of data<br />Certain formats define resources with offsets and sizes<br />Unmentioned parts of the fil...
Unreferenced PDF object<br />PDF xref table, lists object offsets in the file<br />We first remove one reference<br />Next...
Unreferenced PDF object<br />…with a 7zip file.<br />
PDF / 7Z opened as a PDF<br />
PDF / 7Z opened as a 7Z<br />
Start/End markers<br />Many formats use a magic byte sequence to denote the beginning of data<br />Similarly, many have on...
Start/End markers<br />JPEG<br />Start marker: 0xFFD8<br />End marker: 0xFFD9<br />RAR<br />Start marker: 0x526172211A0700...
A WinRAR is you!<br />
A WinRAR is also JPEG!<br />
Limitations<br />Some formats use absolute offsets<br />They must be placed at start of file or offsets must be adjusted<b...
Limitations<br />Some files are simply parsed from start to end<br />Such files require some metadata, unreferenced space,...
TrueCrypt volumes<br />No start/end markers<br />No publicly known signature<br />Parsed from start of file to end of file...
TrueCrypt volumes<br />
Security Implications<br />Reasons why file piggybacking must be considered<br />
Security Implications<br />File upload pwnage<br />Checking for well-formed images doesn’t prevent backdoor upload<br />An...
Security Implications<br />Multiple file consumers<br />Different programs may interpret the file in different ways<br />G...
File upload pwnage<br />Imagine a Web-based image upload utility<br />It confirms that the uploaded file is a valid JPEG<b...
Anti-Virus evasion exercise<br />Check detection rates on Win32 netcat<br />Place it in an archive and check<br />Put junk...
Check detection rates on netcat<br />
Archive netcat and check again<br />
Add junk at the beginning of the file<br />
Piggyback the archive onto a JPEG<br />
Change the extension to .jpg<br />
Guess what this is?<br />
Data Infiltration<br />Take the previous example of a 7z attached to a JPEG<br />This will bypass lots of AV<br />Maybe al...
Data Exfiltration<br /><ul><li>DLP will generally look for:
Type of files being communicated
Content of traffic
Communication properties
These techniques allow for covert channels
With wide bandwidth
With some plausible deniability
In files which are
Ordinarily harmless
Upcoming SlideShare
Loading in …5
×

of

Dan Crowley - Jack Of All Formats Slide 1 Dan Crowley - Jack Of All Formats Slide 2 Dan Crowley - Jack Of All Formats Slide 3 Dan Crowley - Jack Of All Formats Slide 4 Dan Crowley - Jack Of All Formats Slide 5 Dan Crowley - Jack Of All Formats Slide 6 Dan Crowley - Jack Of All Formats Slide 7 Dan Crowley - Jack Of All Formats Slide 8 Dan Crowley - Jack Of All Formats Slide 9 Dan Crowley - Jack Of All Formats Slide 10 Dan Crowley - Jack Of All Formats Slide 11 Dan Crowley - Jack Of All Formats Slide 12 Dan Crowley - Jack Of All Formats Slide 13 Dan Crowley - Jack Of All Formats Slide 14 Dan Crowley - Jack Of All Formats Slide 15 Dan Crowley - Jack Of All Formats Slide 16 Dan Crowley - Jack Of All Formats Slide 17 Dan Crowley - Jack Of All Formats Slide 18 Dan Crowley - Jack Of All Formats Slide 19 Dan Crowley - Jack Of All Formats Slide 20 Dan Crowley - Jack Of All Formats Slide 21 Dan Crowley - Jack Of All Formats Slide 22 Dan Crowley - Jack Of All Formats Slide 23 Dan Crowley - Jack Of All Formats Slide 24 Dan Crowley - Jack Of All Formats Slide 25 Dan Crowley - Jack Of All Formats Slide 26 Dan Crowley - Jack Of All Formats Slide 27 Dan Crowley - Jack Of All Formats Slide 28 Dan Crowley - Jack Of All Formats Slide 29 Dan Crowley - Jack Of All Formats Slide 30 Dan Crowley - Jack Of All Formats Slide 31 Dan Crowley - Jack Of All Formats Slide 32 Dan Crowley - Jack Of All Formats Slide 33 Dan Crowley - Jack Of All Formats Slide 34 Dan Crowley - Jack Of All Formats Slide 35 Dan Crowley - Jack Of All Formats Slide 36 Dan Crowley - Jack Of All Formats Slide 37 Dan Crowley - Jack Of All Formats Slide 38 Dan Crowley - Jack Of All Formats Slide 39 Dan Crowley - Jack Of All Formats Slide 40 Dan Crowley - Jack Of All Formats Slide 41 Dan Crowley - Jack Of All Formats Slide 42 Dan Crowley - Jack Of All Formats Slide 43 Dan Crowley - Jack Of All Formats Slide 44 Dan Crowley - Jack Of All Formats Slide 45 Dan Crowley - Jack Of All Formats Slide 46 Dan Crowley - Jack Of All Formats Slide 47
Upcoming SlideShare
Advanced Data Exfiltration - the way Q would have done it
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Dan Crowley - Jack Of All Formats

Download to read offline

  • Be the first to like this

Dan Crowley - Jack Of All Formats

  1. 1. Jack of all Formats<br />Daniel “unicornFurnace” Crowley<br />Penetration Tester, Trustwave - SpiderLabs<br />
  2. 2. Introductions<br />How can files be multiple formats?<br />Why is this interesting from a security perspective?<br />What can we do about it?<br />(yodawg we heard you like files so we put files in your files)<br />
  3. 3. Terms<br />File piggybacking<br />Placing one file into another<br />File consumption<br />Parsing a file and interpreting its contents<br />
  4. 4. Scope of this talk<br />Files which can be interpreted as multiple formats<br />…with at most a change of file extension<br />Covert channels<br />Through use of piggybacking<br />Examples are mostly Web-centric<br />Only because it’s my specialty<br />This concept applies to more than Web applications<br />Srsly this applies to more than Web applications<br />GUYS IT’S NOT JUST WEB APPS<br />
  5. 5. Files with multiple formats<br />How to piggyback files<br />
  6. 6. File format flexibility<br />Not always rigidly defined<br />From the PDF specification:“This standard does not specify the following:……methods for validating the conformance of PDF files or readers…”<br />Thank you Julia Wolf for “OMG WTF PDF”<br />CSV comments exist but are not part of the standard<br />Not all data in a file is parsed<br />Metadata<br />Unreferenced blocks of data<br />Data outside start/end markers<br />Reserved, unused fields<br />
  7. 7. File format flexibility<br />Some data can be interpreted multiple ways<br />Method of file consumption often determined by:<br />File extension<br />Multiple file extensions may result in multiple parses<br />Bytes at beginning of file<br />First identified file header<br />
  8. 8. 7zip file with junk data at the beginning<br />
  9. 9. 7zip file with junk data at the beginning<br />
  10. 10. Multiple file extensions<br />Apache has:<br />Languages<br />Handlers<br />MIME types<br />File.en.php.png<br />Basename– largely ignored<br />File.en.php.png<br />Language – US English<br />File.en.php.png<br />Triggers PHP handler<br />File.en.php.png<br />Triggers image/png MIME type<br />
  11. 11. Metadata<br />Information about the file itself<br />Not always parsed by the file consumer<br />“Comment”fields, few restrictions on data<br />Files can be inserted into comment fields for one format<br />ID3 tags for mp3 files will be shown in players<br />But not usually interpreted<br />
  12. 12. Metadata – GIF comment<br />
  13. 13. Metadata – GIF comment<br />
  14. 14. Unreferenced blocks of data<br />Certain formats define resources with offsets and sizes<br />Unmentioned parts of the file are ignored<br />Other files can occupy unmentioned space<br />Other formats indicate a total size of data to be parsed<br />Any additional data is ignored<br />Other files can simply be appended<br />
  15. 15. Unreferenced PDF object<br />PDF xref table, lists object offsets in the file<br />We first remove one reference<br />Next, we replace part of that object’s content…<br />
  16. 16. Unreferenced PDF object<br />…with a 7zip file.<br />
  17. 17. PDF / 7Z opened as a PDF<br />
  18. 18. PDF / 7Z opened as a 7Z<br />
  19. 19. Start/End markers<br />Many formats use a magic byte sequence to denote the beginning of data<br />Similarly, many have one to denote the end of data<br />Data outside start/end markers is ignored<br />Files can be placed before or after such markers<br />Files must not contain conflicting markers<br />
  20. 20. Start/End markers<br />JPEG<br />Start marker: 0xFFD8<br />End marker: 0xFFD9<br />RAR<br />Start marker: 0x526172211A0700<br />PDF<br />Start marker: %PDF<br />End marker: %%EOF ( and can replace )<br />PHP<br />Start marker: <?php<br />End marker: ?><br />
  21. 21. A WinRAR is you!<br />
  22. 22. A WinRAR is also JPEG!<br />
  23. 23. Limitations<br />Some formats use absolute offsets<br />They must be placed at start of file or offsets must be adjusted<br />Examples: JPEG, BMP, PDF<br />Some have headers which indicate the size of each resource to follow<br />Such files are usually easy to work with<br />Other files can be appended without breaking things<br />Examples: RAR<br />
  24. 24. Limitations<br />Some files are simply parsed from start to end<br />Such files require some metadata, unreferenced space, or data which can be manipulated to have multiple meanings<br />Different parsers for the same format operate differently<br />Might implement different non-standard features<br />May interpret format of files in different ways<br />
  25. 25. TrueCrypt volumes<br />No start/end markers<br />No publicly known signature<br />Parsed from start of file to end of file<br />No metadata fields<br />No unused space<br />Data is difficult to manipulate<br />
  26. 26. TrueCrypt volumes<br />
  27. 27. Security Implications<br />Reasons why file piggybacking must be considered<br />
  28. 28. Security Implications<br />File upload pwnage<br />Checking for well-formed images doesn’t prevent backdoor upload<br />Anti-Virus evasion<br />Some AV detect file format being scanned then apply format specific rules<br />If file is multiple formats the wrong rules might be applied<br />Data infiltration/exfiltration<br />Do you care what .mp3 files pass in and out of your network?<br />How about .exe and .doc files?<br />
  29. 29. Security Implications<br />Multiple file consumers<br />Different programs may interpret the file in different ways<br />GIFAR issue<br />Parasitic storage<br />How many file uploads allow only valid images?<br />Disk space exhaustion DoS<br />Some image uploads limit uploads by picture dimensions<br />Size of the file may not actually be checked<br />
  30. 30. File upload pwnage<br />Imagine a Web-based image upload utility<br />It confirms that the uploaded file is a valid JPEG<br />It doesn’t check the file extension<br />It uploads the file into the Web root<br />It doesn’t set the permissions to disallow execution<br />Code upload is possible if the file is also a valid JPEG<br />This isn’t hard…<br />
  31. 31. Anti-Virus evasion exercise<br />Check detection rates on Win32 netcat<br />Place it in an archive and check<br />Put junk data at the beginning of the file and check<br />Piggyback the archive onto the end of a JPEG and check<br />Change the file extension to .JPG and check<br />
  32. 32. Check detection rates on netcat<br />
  33. 33. Archive netcat and check again<br />
  34. 34. Add junk at the beginning of the file<br />
  35. 35. Piggyback the archive onto a JPEG<br />
  36. 36. Change the extension to .jpg<br />
  37. 37. Guess what this is?<br />
  38. 38. Data Infiltration<br />Take the previous example of a 7z attached to a JPEG<br />This will bypass lots of AV<br />Maybe also IDS/IPS<br />Haven’t tested it<br />
  39. 39. Data Exfiltration<br /><ul><li>DLP will generally look for:
  40. 40. Type of files being communicated
  41. 41. Content of traffic
  42. 42. Communication properties
  43. 43. These techniques allow for covert channels
  44. 44. With wide bandwidth
  45. 45. With some plausible deniability
  46. 46. In files which are
  47. 47. Ordinarily harmless
  48. 48. Frequently passed
  49. 49. Without breaking the piggybacked files’ usability</li></li></ul><li>Parasitic storage<br /><ul><li>Certain sites allow for file upload of specific formats</li></ul>File piggybacking essentially removes this limitation<br /><ul><li>This technique has been used on 4chan (now fixed)</li></ul>Book sharing threads<br />LOIC distribution<br />CP distribution<br /><ul><li>Still works on ImagesHack.Us
  50. 50. Browsers automagically download images
  51. 51. What if those images are also malware?
  52. 52. Now all you need to do is figure out how to execute it…</li></li></ul><li>Multiple File Consumers<br /><ul><li>GIFAR issue
  53. 53. JAR appended to the end of a GIF
  54. 54. Browser loads the GIF
  55. 55. Old versions of JVM would recognize AND RUN the JAR
  56. 56. Apache handling “file.en.php.png”
  57. 57. Passes file to PHP for preprocessing
  58. 58. Serves resulting output with
  59. 59. a US english charset
  60. 60. MIME type of “image/png”</li></li></ul><li>Disk Space Exhaustion DoS<br /><ul><li>Imagine a file upload utility
  61. 61. It allows the upload of only 1x1 images
  62. 62. For disk space reasons
  63. 63. Append 2GB of junk onto the end of a 1x1 image
  64. 64. ???
  65. 65. NO DISK SPACE!!!
  66. 66. Checking properties of the file format may not be sufficient</li></li></ul><li>Protections<br />What can we do about this?<br />
  67. 67. File upload with code<br /><ul><li>Don’t upload in the Web root
  68. 68. Don’t use the user’s filename
  69. 69. Don’t set the perms to executable
  70. 70. Don’t trust file properties
  71. 71. Allow only one extension
  72. 72. Allow only known good extensions</li></li></ul><li>Anti-virus Evasion<br /><ul><li>We could:
  73. 73. Check for all valid file headers
  74. 74. Performance hit
  75. 75. Apply all signatures/heuristics globally
  76. 76. Big freakin’ performance hit
  77. 77. Identify by behavior
  78. 78. This doesn’t work on gateway AV</li></li></ul><li>Disk Space Exhaustion<br /><ul><li>Don’t just check properties from the expected format
  79. 79. Nuff said</li></li></ul><li>Parasitic storage<br />Don’t upload files?<br />

Views

Total views

1,941

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

49

Shares

0

Comments

0

Likes

0

×