GIFARs and Other Issues

Sun, 03 Aug 2008 15:20:11 GMT
by pdp

A lot of people have asked me (especially reporters) about the GIFAR attack since it resembles what I have already spoken about here and presented at the last Black Hat in Amsterdam. So, I decided to shed some light without being too revealing as the talk, which will demonstrate and explains the attack in more details, will give away the awesome stuff.

So yes, the whole notion of combining JAR files with other types of files is not new. It is really old and it is just enough to google about how to hide ZIP (which is basically JAR) behind JPG images. I've discussed the subject on several conferences in the past and I've gave away some pointers why this is dangerous. Now you can read my paper which explains why this is so, but for those of you who don't want to go through 20 pages of material here is the summary:

The combination is dangerous because it breaks the browser security model in a way. Think about it as an advance form of persistent Cross-site Scripting Attack. It is not just XSS but also a Socket monster as the JVM will allow us spawn sockets too.

So maybe yes, the issue is not new but what will be presented at Black Hat, and this is why you should attend this talk, is something different. The XS-Sniper crew (if I can call them that way :)) will present a technique in which they managed to get around certain restrictions/limitations when exploiting the Google platform in particular. This puts the attack into a very different perspective and this is what I am interested to learn about.

John Heasman, a profound Java-ninja master, has also commented regarding the attack vector and its implementation.

Archived Comments

Nate McFetersNate McFeters
PDP, Thanks for the plug and the kind words! We also look forward to seeing your talk. I suppose you could call us the XS-Sniper crew, I kind of like the ring of that :). Let's definitely catch up and get some beers, I'll call you when I get in tomorrow evening. -Nate
pdppdp
sounds like a plan
DanielDaniel
Whilst cool, it's not really that new http://research.corsaire.com/advisories/c010301-001.txt :0)
pdppdp
I agree!
Morgan StoreyMorgan Storey
Any chance we can get the talk posted to gnucitizen so those of us halfway round the world can still listen in?
MutantMutant
Hiding zips in images used to be for hiding porn lol.. but now the basis of a full-fledged vuln. Huh... who would've thought? :P
pdppdp
absolutely!