gifar's magic mimes filed in 8 by 3 · ben s. knowles bbst, cissp, gcia, gcih, gsec, lpic-1 ,...
TRANSCRIPT
Ben S. Knowles BBST, CISSP, GCIA, GCIH, GSEC, LPIC-1 , et cetera
GIFAR's Magic Mimes Filed in 8 by 3File types, identification techniques, and their weaknesses to attack
File types?
How do computers tell what kind of thing something is?
How do analysts identify artifacts?
What vulnerabilities do these techniques have?
a few examples:
live and raw bytes of common files types:● html/xml/text
● pl/py/rb/sh
● png, PDF, gif, jpg, bmp
● exe, doc, elf, pe
● avi, mov, flv
● jar/zip/docx, tar
html and xml - structured text
pl/py/rb/sh- script text
PDF, png - vector and raster graphics
exe, doc, ELF, PE – programs and binaries
avi, mov, flv - video containers
jar/zip/docx/tar - archives
the basic schemes
● file name & extensions (trust it)● file metadata (tag it)● file(1) magic (check it)● What about icons?
file name & extensions (trust it)
● Eight dot three– [short title] . [three letter extension]
– Extensions determine type for Win, Mac!
● VFAT LFN kludge– Progra~1/goodfile.exe ?
– Docume~1/badfile.com ?
file metadata (tag it)
– resource forks and EAs● Classic Macintosh, OS/2● ResEdit etc could change rsrc
– MIME type tags and headers● BeOS filesystem● the WWW and email
file magic (check it)
“file tests each argument in an attempt to classify it.”
“These files have a 'magic number' stored in a particular place near the beginning of the file … “
“Any file with some invariant identifier at a small fixed offset into the file can usually be described in this way.”
-manual page for file(1)
file magic example checks
What about icons?
How is all of this used?
● Optimizations, shortcuts● Exceptions to security policy● In analysis for intelligence, triage,
and response
Usage: Optimizations
Apache modules may try to compress text, html, but not PNG,GIF
Apache mod_deflate configuration from apache.org:http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
Usage: Exceptions to policy
as configured in HIDS/NIDS :● MSSE/SAV exclude from scan "*.jar,*.dll"
● WAF / IPS policy : Disallow requests to “*.cgi, *.pl”
for application security : ● Gmail used to forbid exe files as attachments
Usage: In file analysis
● easy to prioritize analysis, triage artifacts by file extension
– Disk forensics tools organize files by extension as well as by determined type
● Some tools only accept certain file types:
– annubis, virustotal, truman, gfi , etc
– accept exe or APK, and common Windows file types / extensions
Basic Deceptions
● Lies
● Simple mutations
Deceptions: Lies
Windows hides extensions by default:
You can change extension/name:
To easily hide file types in Windows:
Deceptions: Lies (2)
Change icon and metadata to confuse users and evade detection
Deceptions: Simple mutations
to evade detection:
● Compression
– Zip it, RAR it, tar it up: changes headers and name
● Packing
– Various utilities disguise executable or intent
● UPX, JavaScript, PHP packers / obfuscators● Encoding
– MIME, Base64, ROT13 or uuencode for transmission
● Transcoding
– Change image or video type by re-encoding
Deceptions: magic tricks
Is this a GIF?GIF98a [other binary data] [and then GIF palette here]<?php readfile('/etc/passwd'); ?>[more binary data]
Then why is it stealing user data on my Mac?
Deceptions: magic tricks: jar stego
l
pdp's post: http://www.gnucitizen.org/blog/java-jar-attacks-and-features/
Explains how to trivially combine images with JAR files using copy, cat:
“If you double click on the fancyevilimage.jpg you get your default image viewer with the actual image displayed inside. If you put the image inside the src attribute of an img tag, surprise, surprise, it renders.”
“In our case, the Java runtime, will happily interpret an image as a JAR.”
Chimera
● are multiple file types?
● exhibit properties of multiple file types:
– Abuse magic signatures
– Multiple headers for multiple parsers
Release the GIFAR!
Images from Billy's blog post: http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/
Other published chimera
Many examples in “Jack Of All Formats”:
http://www.slideshare.net/BaronZor/jack-of-all-formats
● Apache multiple handling of File.en.php.png
● Functioning PDF / 7Zip archive, WinRAR / JPEG!
● JaCK : Valid PNG with PHP backdoor
And around the net:
● http://blog.security4all.be/2008/08/gifar-jpgar-docar-whats-deal-with-new.html
Questions?
How do your systems identify file types and how much do you trust it?
Are there vulnerabilities in your systems related to these techniques?
How did Sun and Google fix the vulns behind GIFAR?
Next steps
Start looking at your system configs and analysis systems for file type trust weak points.
Many examples and attack scenarios @dan_crowley's SOURCE 2011 prez “Jack of all Formats” – >
http://www.slideshare.net/BaronZor/jack-of-all-formats
Static artifact analysis is one facet of forensic file analysis and reverse engineering. Awesome books include:
● Practical Malware Analysis ->
● Malware Analysis Cookbook –>
SANS FOR610 “Reverse Engineering Malware”, GREM
http://www.giac.org/certification/reverse-engineering-malware-grem
References
Slide deck and links available online:
http://adric.net/index.cgi/wiki?name=File+types