jack of all formats

Jack of all Formats

Daniel “unicornFurnace” CrowleyApplication Security Services, Trustwave - SpiderLabs

Introductions

How can files be multiple formats?Why is this interesting from a security perspective?

What can we do about it?

(yo dawg we heard you like files so we put files in your files)

Copyright Trustwave 2010 Confidential

Terms

File piggybacking• Placing one file into another

File consumption• Parsing a file and interpreting its contents


Scope of this talk

Files which can be interpreted as multiple formats• …with at most a change of file extension

Covert channels• Through use of piggybacking

Examples are mostly Web-centric• Only because it’s my specialty• This concept applies to more than Web applications

− Srsly this applies to more than Web applications• GUYS IT’S NOT JUST WEB APPS

Files with multiple formats

How to piggyback files

(Clap and cheer now to confuse the people who can’t read this)


File format flexibility

Not always rigidly defined• From the PDF specification:

“This standard does not specify the following:……methods for validating the conformance of PDF files or readers…”

− Thank you Julia Wolf for “OMG WTF PDF”

• CSV comments exist but are not part of the standardNot all data in a file is parsed

• Metadata• Unreferenced blocks of data• Data outside start/end markers• Reserved, unused fields


File format flexibility

Some data can be interpreted multiple ways

Method of file consumption often determined by:• File extension

− Multiple file extensions may result in multiple parses

• Bytes at beginning of file• First identified file header


7zip file with junk data at the beginning

Multiple file extensions

Apache has:LanguagesHandlersMIME types

File.en.php.pngBasename – largely ignored

File.en.php.pngLanguage – US English

File.en.php.pngTriggers PHP handler

File.en.php.pngTriggers image/png MIME type


Metadata

Information about the file itself

Not always parsed by the file consumer

• “Comment” fields, few restrictions on data

Files can be inserted into comment fields for one

format

• ID3 tags for mp3 files will be shown in players

− But not usually interpreted


Metadata – GIF comment


Unreferenced blocks of data

Certain formats define resources with offsets and sizes

• Unmentioned parts of the file are ignored

• Other files can occupy unmentioned space

Other formats indicate a total size of data to be parsed

• Any additional data is ignored

• Other files can simply be appended

Some formats indicate that unrecognized data is

ignored

• May still need to be formatted correctly

Unreferenced PDF object

PDF xref table, lists object offsets in the file

We first remove one reference

Next, we replace part of that object’s content…

Unreferenced PDF object

…with a 7zip file.


PDF / 7Z opened as a PDF


PDF / 7Z opened as a 7Z


PNG file format

• Static signature

• Series of chunks• IHDR chunk• Other chunks including at least one IDAT chunk• IEND chunk


PNG chunk format

• 4 byte length field

• 4 byte identification field

• Data

• 4 byte CRC of id field and data field

Chunks with unknown IDs will be ignored

The CRC will likely not even be checked


jaCK chunk


Start/End markers

Many formats use a magic byte sequence to denote the beginning of data

Similarly, many have one to denote the end of data

Data outside start/end markers is ignored• Files can be placed before or after such markers

− Files must not contain conflicting markers


Start/End markers

JPEG• Start marker: 0xFFD8• End marker: 0xFFD9

RAR• Start marker: 0x526172211A0700

PDF• Start marker: %PDF• End marker: \n%%EOF\n (\r and \r\n can replace \n)

PHP• Start marker: <?php• End marker: ?>


A WinRAR is you!


A WinRAR is also JPEG!


Limitations

Some formats use absolute offsets

• They must be placed at start of file or offsets must be

adjusted

• Examples: JPEG, BMP, PDF

Some have headers which indicate the size of each

resource to follow

• Such files are usually easy to work with

• Other files can be appended without breaking things

• Examples: RAR


Limitations

Some files are simply parsed from start to end

• Such files require some metadata, unreferenced space,

or data which can be manipulated to have multiple

meanings

Different parsers for the same format operate

differently

• Might implement different non-standard features

• May interpret format of files in different ways


TrueCrypt volumes

No start/end markersNo publicly known signature

• Parsed from start of file to end of fileNo metadata fieldsNo unused spaceData is difficult to manipulate


TrueCrypt volumes

Security Implications

Reasons why file piggybacking must be considered

(Read the first word in every sub-bullet on the next slide)



Data infiltration/exfiltration• Never check what .mp3 files pass in and out of your

network?− Gonna change that when you get back to the office?

Anti-Virus evasion• Give an AV a piggybacked file, it might apply the wrong

rules− You might not know that most AV applies

heuristics/signatures based on identified file format!

File upload pwnage• Up loading well-formed images that are also backdoors

is possible



Multiple file consumers• Different programs may interpret the file in different

ways− GIFAR issue

Parasitic storage• How many file uploads allow only valid images?

Disk space exhaustion DoS• Some image uploads limit uploads by picture dimensions• Size of the file may not actually be checked


File upload pwnage

Imagine a Web-based image upload utility

• It confirms that the uploaded file is a valid JPEG

• It doesn’t check the file extension

• It uploads the file into the Web root

• It doesn’t set the permissions to disallow execution

Code upload is possible if the file is also a valid JPEG

• This isn’t hard…


Anti-Virus evasion exercise

Check detection rates on Win32 netcat

Place it in an archive and check

Put junk data at the beginning of the file and check

Piggyback the archive onto the end of a JPEG and check

Change the file extension to .JPG and check


Check detection rates on netcat


Archive netcat and check again


Add junk at the beginning of the file


Piggyback the archive onto a JPEG


Change the extension to .jpg


LULZ netkitties


Data Infiltration

Take the previous example of a 7z attached to a JPEG• This will bypass lots of AV• Maybe also IDS/IPS

− Haven’t tested it


Data Exfiltration

• DLP will generally look for:• Type of files being communicated• Content of traffic• Communication properties

• These techniques allow for covert channels• With wide bandwidth• With some plausible deniability• In files which are

• Ordinarily harmless• Frequently passed

• Without breaking the piggybacked files’ usability


Parasitic storage

• Certain sites allow for file upload of specific formats

• File piggybacking essentially removes this limitation

• This technique has been used on 4chan (now fixed)

• Book sharing threads

• LOIC distribution

• CP distribution

• Still works on certain image sites

• Browsers automagically download images

• What if those images are also malware?

• Now all you need to do is figure out how to execute it…


Multiple File Consumers

• GIFAR issue• JAR appended to the end of a GIF• Browser loads the GIF• Old versions of JVM would recognize AND RUN the JAR

• Apache handling “file.en.php.png”• Passes file to PHP for preprocessing• Serves resulting output with

• a US english charset• MIME type of “image/png”


Disk Space Exhaustion DoS

• Imagine a file upload utility• It allows the upload of only 1x1 images

• For disk space reasons

• Append 2GB of junk onto the end of a 1x1 image• ???• NO DISK SPACE!!!

• Checking properties of the file format may not be sufficient

Protections

What can we do about this?

(Not much)


File upload with code

• Don’t upload in the Web root

• Don’t allow the user to control any part of the

filename

• Don’t set the perms to executable

• Don’t trust file properties

• Allow only one extension

• Allow only known good extensions


Anti-virus Evasion

• We could:

• Check for all valid file headers

• Performance hit

• Apply all signatures/heuristics globally

• Big freakin’ performance hit

• Identify by behavior

• This doesn’t work on gateway AV


Disk Space Exhaustion

• Don’t just check properties from the expected

format

• Nuff said

• Put some additional protection in place

• Disk quota

• Separate partition for uploads


Parasitic storage

• In metadata

• Remove metadata

• At end of file

• Parse out relevant format data and save as new file

• In unreferenced block or as part of real data

• Don’t upload files?

• Don’t allow unauthenticated file upload?


Questions?

Daniel [email protected]

@dan_crowley

mailto:[email protected]

jack of all formats

Technology

zip file

file consumercommentfields

file itselfnot

file header

multiple file extensionsapache

file format flexibilitynot

ignoredother files

mp3 files