Ben S. Knowles BBST, CISSP, GCIA, GCIH, GSEC, LPIC-1 , et cetera

GIFAR's Magic Mimes Filed in 8 by 3File types, identification techniques, and their weaknesses to attack

File types?

How do computers tell what kind of thing something is?

How do analysts identify artifacts?

What vulnerabilities do these techniques have?

a few examples:

live and raw bytes of common files types:● html/xml/text

● pl/py/rb/sh

● png, PDF, gif, jpg, bmp

● exe, doc, elf, pe

● avi, mov, flv

● jar/zip/docx, tar

html and xml - structured text

pl/py/rb/sh- script text

PDF, png - vector and raster graphics

exe, doc, ELF, PE – programs and binaries

avi, mov, flv - video containers

jar/zip/docx/tar - archives

the basic schemes

● file name & extensions (trust it)● file metadata (tag it)● file(1) magic (check it)● What about icons?

file name & extensions (trust it)

● Eight dot three– [short title] . [three letter extension]

– Extensions determine type for Win, Mac!

● VFAT LFN kludge– Progra~1/goodfile.exe ?

– Docume~1/badfile.com ?

file metadata (tag it)

– resource forks and EAs● Classic Macintosh, OS/2● ResEdit etc could change rsrc

– MIME type tags and headers● BeOS filesystem● the WWW and email

file magic (check it)

“file tests each argument in an attempt to classify it.”

“These files have a 'magic number' stored in a particular place near the beginning of the file … “

“Any file with some invariant identifier at a small fixed offset into the file can usually be described in this way.”

-manual page for file(1)

file magic example checks

What about icons?

How is all of this used?

● Optimizations, shortcuts● Exceptions to security policy● In analysis for intelligence, triage,

and response

Usage: Optimizations

Apache modules may try to compress text, html, but not PNG,GIF

Apache mod_deflate configuration from apache.org:http://httpd.apache.org/docs/2.2/mod/mod_deflate.html

Usage: Exceptions to policy

as configured in HIDS/NIDS :● MSSE/SAV exclude from scan "*.jar,*.dll"

● WAF / IPS policy : Disallow requests to “*.cgi, *.pl”

for application security : ● Gmail used to forbid exe files as attachments

Usage: In file analysis

● easy to prioritize analysis, triage artifacts by file extension

– Disk forensics tools organize files by extension as well as by determined type

● Some tools only accept certain file types:

– annubis, virustotal, truman, gfi , etc

– accept exe or APK, and common Windows file types / extensions

Basic Deceptions

● Lies

● Simple mutations

Deceptions: Lies

Windows hides extensions by default:

You can change extension/name:

To easily hide file types in Windows:

Deceptions: Lies (2)

Change icon and metadata to confuse users and evade detection

Deceptions: Simple mutations

to evade detection:

● Compression

– Zip it, RAR it, tar it up: changes headers and name

● Packing

– Various utilities disguise executable or intent

● UPX, JavaScript, PHP packers / obfuscators● Encoding

– MIME, Base64, ROT13 or uuencode for transmission

● Transcoding

– Change image or video type by re-encoding

Deceptions: magic tricks

Is this a GIF?GIF98a [other binary data] [and then GIF palette here]<?php readfile('/etc/passwd'); ?>[more binary data]

Then why is it stealing user data on my Mac?

Deceptions: magic tricks: jar stego

l

pdp's post: http://www.gnucitizen.org/blog/java-jar-attacks-and-features/

Explains how to trivially combine images with JAR files using copy, cat:

“If you double click on the fancyevilimage.jpg you get your default image viewer with the actual image displayed inside. If you put the image inside the src attribute of an img tag, surprise, surprise, it renders.”

“In our case, the Java runtime, will happily interpret an image as a JAR.”

Chimera

● are multiple file types?

● exhibit properties of multiple file types:

– Abuse magic signatures

– Multiple headers for multiple parsers

Release the GIFAR!

Images from Billy's blog post: http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/

Other published chimera

Many examples in “Jack Of All Formats”:

http://www.slideshare.net/BaronZor/jack-of-all-formats

● Apache multiple handling of File.en.php.png

● Functioning PDF / 7Zip archive, WinRAR / JPEG!

● JaCK : Valid PNG with PHP backdoor

And around the net:

● http://blog.security4all.be/2008/08/gifar-jpgar-docar-whats-deal-with-new.html

Questions?

How do your systems identify file types and how much do you trust it?

Are there vulnerabilities in your systems related to these techniques?

How did Sun and Google fix the vulns behind GIFAR?

Next steps

Start looking at your system configs and analysis systems for file type trust weak points.

Many examples and attack scenarios @dan_crowley's SOURCE 2011 prez “Jack of all Formats” – >

http://www.slideshare.net/BaronZor/jack-of-all-formats

Static artifact analysis is one facet of forensic file analysis and reverse engineering. Awesome books include:

● Practical Malware Analysis ->

● Malware Analysis Cookbook –>

SANS FOR610 “Reverse Engineering Malware”, GREM

http://www.giac.org/certification/reverse-engineering-malware-grem

References

Slide deck and links available online:

http://adric.net/index.cgi/wiki?name=File+types