Rob McMillan from IDG interviewed John Heasman and I today about the presentation we will be delivering with Rob Carter at Black Hat Vegas next week. The article has a good teaser about one of the more interesting of the many attacks we will cover, namely what we've coined the GIFAR attack. We've also got a previous teaser that I covered here on some of John Heasman's work on NTLM relay attacks through Java applets.
For those who are not familiar with this, we originally discussed it during the Black Hat webcast. The attack involves combining two files, for instance a GIF image file and a JAR (Java Archive) file that contains class files for a Java Applet. GIF+JAR=GIFAR. The idea is that the file will be rendered as a valid image by a browser; however, it will also be treated as a valid JAR file for use as a Java Applet by the Java Virtual Machine.
There are numerous web applications out there that allow you to upload images, but very few that allow you to upload Java class files. This is for the obvious reason that an attacker created applet uploaded onto a legitimate web application will allow the execution of arbitrary applet code in the victim's browser under the context of the web application it was loaded from. Of course, this all goes out the door if you can convince the application that what you have is a valid file for its purposes, yet still deliver the Java applet to the server.
I want to avoid giving up too many details prior to Black Hat, but I would like to clarify some points from Rob's article and comment on some other relevant points to our talk:
- GIFARs are not the only thing we are talking about during our presentation. The focus of our talk is to demonstrate a feasible compromise of an organization via client-side attacks that require no code execution and that even work against IE running in protected mode. This is an interesting topic as protections like DEP and ASLR have made client-side compromise of an organization tougher as the classic memory corruption flaws are tougher to exploit (tips my hat to Alex Sotirov and Mark Dowd and their Black Hat talk on the subject).
- The GIFAR issue will not be patched at the time of the conference; however, a few of the required steps to exploit the issue will be held back until Sun has issued a patch that will protect users from this in the short term.
- The issue exploits applications that take ownership of user supplied content. Billy Rios and I originally presented similar attacks at DEFCON last year, showing how GMail, Yahoo!, etc. would accept a crossdomain.xml file as an attachment, and then using that fact to bypass Same Origin Policy using Adobe Flash.
- Billy Rios is actually the original founder of the GIFAR vulnerability. Rob credited me in his article (my fault for not clarifying), but I was only part of the research, Billy deserves the real credit for the find.
- There was a comment in the article about this being really a browser security issue. That plays into some of our research, but most of our research has little to do with browser-security issues and more to do with issues in the web applications themselves, or in third-party browser plugins.
- While the GIFAR issue may appear to be a Sun flaw on the surface, it is not. The fact that the JVM will load an applet from an image file is certainly not a great thing, but the real issue here is an application level issue, and that is web applications are accepting uploads of things like images without validating those uploads (save for checking their extension).
- Sun has been great to work with and has been kind enough to work on a patch for the issue, which we hope to see out soon. The patch will provide a temporary work around for this issue, which will give application owners time to address this within their applications. It does not fix the issue of applications taking ownership of user supplied content without better sanitizing of the content. Loading a Java applet through an image file is just the vector of exploitation we used here, the issue really being that the applications allowed us to place this content on the web server in a predictable location.
- The GIFAR issue is likely to effect any web application that accepts uploads of content from users without sanitizing this data beyond checking the file extension and file headers. GIFARs can be files other than combined GIF+JAR files, they could also be JPG+JAR, DOC+JAR, etc.
- Our presentation features Billy Rios, Rob Carter, John Heasman, and myself and covers all of our recent work on client-side exploitation, and it should be fun.
Hope to see some of you there, but I will not fault you if you miss us, as there are a couple of other great talks at that time as well, including Jeremiah Grossman and Mark Dowd with Alex Sotirov. In any case, if you are going to be there, feel free to come chat with Rios, Carter, Heasman, and I. We will be up for beer, coffee, lunch, and/or gambling.