dan crowley - jack of all formats

Jack of all Formats

Daniel “unicornFurnace” CrowleyPenetration Tester, Trustwave - SpiderLabs

Introductions

How can files be multiple formats?Why is this interesting from a security perspective?

What can we do about it?

(yo dawg we heard you like files so we put files in your files)

Copyright Trustwave 2010 Confidential

Terms

File piggybacking• Placing one file into another

File consumption• Parsing a file and interpreting its contents


Scope of this talk

Files which can be interpreted as multiple formats• …with at most a change of file extension

Covert channels• Through use of piggybacking

Examples are mostly Web-centric• Only because it’s my specialty• This concept applies to more than Web applications

− Srsly this applies to more than Web applications• GUYS IT’S NOT JUST WEB APPS

Files with multiple formats

How to piggyback files


File format flexibility

Not always rigidly defined• From the PDF specification:

“This standard does not specify the following:……methods for validating the conformance of PDF files or readers…”

− Thank you Julia Wolf for “OMG WTF PDF”

• CSV comments exist but are not part of the standardNot all data in a file is parsed

• Metadata• Unreferenced blocks of data• Data outside start/end markers• Reserved, unused fields


File format flexibility

Some data can be interpreted multiple ways

Method of file consumption often determined by:• File extension

− Multiple file extensions may result in multiple parses

• Bytes at beginning of file• First identified file header


7zip file with junk data at the beginning

Multiple file extensions

Apache has:LanguagesHandlersMIME types

File.en.php.pngBasename – largely ignored

File.en.php.pngLanguage – US English

File.en.php.pngTriggers PHP handler

File.en.php.pngTriggers image/png MIME type


Metadata

Information about the file itself

Not always parsed by the file consumer

• “Comment” fields, few restrictions on data

Files can be inserted into comment fields for one

format

• ID3 tags for mp3 files will be shown in players

− But not usually interpreted


Metadata – GIF comment


Unreferenced blocks of data

Certain formats define resources with offsets and sizes• Unmentioned parts of the file are ignored• Other files can occupy unmentioned space

Other formats indicate a total size of data to be parsed• Any additional data is ignored• Other files can simply be appended

Unreferenced PDF object

PDF xref table, lists object offsets in the file

We first remove one reference

Next, we replace part of that object’s content…

Unreferenced PDF object

…with a 7zip file.


PDF / 7Z opened as a PDF


PDF / 7Z opened as a 7Z


Start/End markers

Many formats use a magic byte sequence to denote the beginning of data

Similarly, many have one to denote the end of data

Data outside start/end markers is ignored• Files can be placed before or after such markers

− Files must not contain conflicting markers


Start/End markers

JPEG• Start marker: 0xFFD8• End marker: 0xFFD9

RAR• Start marker: 0x526172211A0700

PDF• Start marker: %PDF• End marker: \n%%EOF\n (\r and \r\n can replace \n)

PHP• Start marker: <?php• End marker: ?>


A WinRAR is you!


A WinRAR is also JPEG!


Limitations

Some formats use absolute offsets

• They must be placed at start of file or offsets must be

adjusted

• Examples: JPEG, BMP, PDF

Some have headers which indicate the size of each

resource to follow

• Such files are usually easy to work with

• Other files can be appended without breaking things

• Examples: RAR


Limitations

Some files are simply parsed from start to end

• Such files require some metadata, unreferenced space,

or data which can be manipulated to have multiple

meanings

Different parsers for the same format operate

differently

• Might implement different non-standard features

• May interpret format of files in different ways


TrueCrypt volumes

No start/end markersNo publicly known signature

• Parsed from start of file to end of fileNo metadata fieldsNo unused spaceData is difficult to manipulate


TrueCrypt volumes

Security Implications

Reasons why file piggybacking must be considered



File upload pwnage• Checking for well-formed images doesn’t prevent

backdoor uploadAnti-Virus evasion

• Some AV detect file format being scanned then apply format specific rules

• If file is multiple formats the wrong rules might be applied

Data infiltration/exfiltration• Do you care what .mp3 files pass in and out of your

network?− How about .exe and .doc files?



Multiple file consumers• Different programs may interpret the file in different

ways− GIFAR issue

Parasitic storage• How many file uploads allow only valid images?

Disk space exhaustion DoS• Some image uploads limit uploads by picture dimensions• Size of the file may not actually be checked


File upload pwnage

Imagine a Web-based image upload utility

• It confirms that the uploaded file is a valid JPEG

• It doesn’t check the file extension

• It uploads the file into the Web root

• It doesn’t set the permissions to disallow execution

Code upload is possible if the file is also a valid JPEG

• This isn’t hard…


Anti-Virus evasion exercise

Check detection rates on Win32 netcat

Place it in an archive and check

Put junk data at the beginning of the file and check

Piggyback the archive onto the end of a JPEG and check

Change the file extension to .JPG and check


Check detection rates on netcat


Archive netcat and check again


Add junk at the beginning of the file


Piggyback the archive onto a JPEG


Change the extension to .jpg


Guess what this is?


Data Infiltration

Take the previous example of a 7z attached to a JPEG• This will bypass lots of AV• Maybe also IDS/IPS

− Haven’t tested it


Data Exfiltration

• DLP will generally look for:• Type of files being communicated• Content of traffic• Communication properties

• These techniques allow for covert channels• With wide bandwidth• With some plausible deniability• In files which are

• Ordinarily harmless• Frequently passed

• Without breaking the piggybacked files’ usability


Parasitic storage

• Certain sites allow for file upload of specific formats

• File piggybacking essentially removes this limitation

• This technique has been used on 4chan (now fixed)

• Book sharing threads

• LOIC distribution

• CP distribution

• Still works on ImagesHack.Us

• Browsers automagically download images

• What if those images are also malware?

• Now all you need to do is figure out how to execute it…


Multiple File Consumers

• GIFAR issue• JAR appended to the end of a GIF• Browser loads the GIF• Old versions of JVM would recognize AND RUN the JAR

• Apache handling “file.en.php.png”• Passes file to PHP for preprocessing• Serves resulting output with

• a US english charset• MIME type of “image/png”


Disk Space Exhaustion DoS

• Imagine a file upload utility• It allows the upload of only 1x1 images

• For disk space reasons

• Append 2GB of junk onto the end of a 1x1 image• ???• NO DISK SPACE!!!

• Checking properties of the file format may not be sufficient

Protections

What can we do about this?


File upload with code

• Don’t upload in the Web root

• Don’t use the user’s filename

• Don’t set the perms to executable

• Don’t trust file properties

• Allow only one extension

• Allow only known good extensions


Anti-virus Evasion

• We could:

• Check for all valid file headers

• Performance hit

• Apply all signatures/heuristics globally

• Big freakin’ performance hit

• Identify by behavior

• This doesn’t work on gateway AV


Disk Space Exhaustion

• Don’t just check properties from the expected format• Nuff said


Parasitic storage

Don’t upload files?

dan crowley - jack of all formats

Technology

file uploads

zip file

start of file

uploaded file

file extensionit

file consumercommentfields

file itselfnot

file header