Here are my notes from the Black Hat USA 2008 presentation called The Internet is Broken: Beyond Document.Cookie – Extreme Client Side Exploitationby Nathan McFeters, John Heasman, and Rob Carter.

  • GIFAR
    • Hybrid .gif and .jar file
      • .gif header is in the beginning of the file
      • .jar header is in the end of the file
    • File will still render fine, and will execute fine when the applet is called
    • Will work with many other file formats as well (office docs, movie files, etc)
  • Content ownership
    • Sub-domain should protect against same origin policy
    • Found ways using GIFAR technique to get to primary domain
    • Need to serve content from completely different domain
  • HTTP IPC
    • Google Desktop, Google Picasa runs a local webserver
  • Local Intranet Zones
    • Any UNC
    • Names that don’t have periods (localhost)
    • IE7 has this zone disabled by default
    • Same origin policy is not strictly enforced in this zone
  • Utorrent CSRF
    • Ability to change the completed downloads folder
    • Ability to add and start downloading torrents
    • Threat vector – change downloads folder to the All Users Startup folder and auto download/extract your backdoor
  • Java
    • 90% of desktops run Java SE
    • Applet loaded from file:// can read files from the same directory
    • Applet loaded by file or localhost
      • Can enumerate IP bound to each adapter
      • Can listen on a port > 1025 and accept data from localhost
  • Google Docs (vulnerability now fixed)
    • doc_id parameter – semi random, but predictable
    • Can view and edit other people’s documents

All of the threat vectors discussed at the presentation was very interesting, but I really like the GIFAR attack. It has a lot of potential because so many sites accept uploading of image files. For more thoughts on the GIFAR attack, here are a few additional links: