Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
A photo that can steal your online credentials
Posted by: ted
Date: August 04, 2008 09:06PM

I knew this from:
hxxp://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html

Any one know the detail about this?
I want to know how can I improve my web applications to continually to check and filter these hybrid files.
Best regards.

Options: ReplyQuote
Re: A photo that can steal your online credentials
Posted by: hexfortyfive
Date: August 05, 2008 02:50PM

check out this and this.

I've managed to execute a PoC of this attack, but I'm not sure the extent of the damage (will create separate thread). As for remediation, pdp recommends:
Quote

What you should do is to first of all validate whether what you receive is a picture and then re-convert it. If it is JPG, convert it again to JPG, That way you force the library to rearrange the bits within the image and as such the junk at the bottom, which is the malicious JAR, will be removed. This is your safest option for now and for the future, unless you are using a very stringent image manipulation library.

edit: just found this and this from the presenters of the vulnerability.

Quote

Shrinking, converting, resizing, etc. will NOT necessarily fix this issue as is being suggested on Slashdot. We have been able to attack sites that do resizing, shrinking, or converting as well.
Quote

The way to fix this is to either:
* Sanitize the incoming content to make sure it is not a combined file (this is extremely hard to do properly).
* Host the images on a different domain (and I do not mean a different sub-domain). For example, if the image is hosted from images.mysite.com, we can still attack www.mysite.com; however, if the image is hosted from images4mysite.com, we cannot attack www.mysite.com unless we find a different upload vector that places us on the mysite.com domain.

Looks pretty grim.



Edited 1 time(s). Last edit at 08/05/2008 05:13PM by hexfortyfive.

Options: ReplyQuote
Re: A photo that can steal your online credentials
Posted by: asilvermtzion
Date: August 05, 2008 05:46PM

That's mental. I thought SOP covered sub-domains as well though?

Options: ReplyQuote
Re: A photo that can steal your online credentials
Posted by: hexfortyfive
Date: August 05, 2008 07:45PM

If anyone else is playing with ways to prevent this attack, I found that I can stick the .JAR file into the Comment's section of the EXIF data of a JPG and it will execute. This strategy will get around most (all?) automated image manipulation (crop, rotate, resize, convert jpg-to-jpg) that preserves EXIF data.

Enjoy.

Options: ReplyQuote


Sorry, only registered users may post in this forum.