Popular Articles
Subscribe to Infosec Events
Infosec Events Feed Stay up to date with all of the latest security news by subscribing to our RSS Feed. Alternatively, you can have updates sent directly to your email address.

Recent Articles

Extreme Client Side Exploitation Notes

Published: August 7th, 2008 | Category: Security Conferences

Here are my notes from the Black Hat USA 2008 presentation called The Internet is Broken: Beyond Document.Cookie – Extreme Client Side Exploitationby Nathan McFeters, John Heasman, and Rob Carter.

  • GIFAR
    • Hybrid .gif and .jar file
      • .gif header is in the beginning of the file
      • .jar header is in the end of the file
    • File will still render fine, and will execute fine when the applet is called
    • Will work with many other file formats as well (office docs, movie files, etc)
  • Content ownership
    • Sub-domain should protect against same origin policy
    • Found ways using GIFAR technique to get to primary domain
    • Need to serve content from completely different domain
  • HTTP IPC
    • Google Desktop, Google Picasa runs a local webserver
  • Local Intranet Zones
    • Any UNC
    • Names that don’t have periods (localhost)
    • IE7 has this zone disabled by default
    • Same origin policy is not strictly enforced in this zone
  • Utorrent CSRF
    • Ability to change the completed downloads folder
    • Ability to add and start downloading torrents
    • Threat vector – change downloads folder to the All Users Startup folder and auto download/extract your backdoor
  • Java
    • 90% of desktops run Java SE
    • Applet loaded from file:// can read files from the same directory
    • Applet loaded by file or localhost
      • Can enumerate IP bound to each adapter
      • Can listen on a port > 1025 and accept data from localhost
  • Google Docs (vulnerability now fixed)
    • doc_id parameter – semi random, but predictable
    • Can view and edit other people’s documents

All of the threat vectors discussed at the presentation was very interesting, but I really like the GIFAR attack. It has a lot of potential because so many sites accept uploading of image files. For more thoughts on the GIFAR attack, here are a few additional links:

Tags: , ,

RSS feed | Trackback URI

Comments »

No comments yet.

Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

Trackback responses to this post

Sponsors
CanSecWest Applied Security Conference       Bloggers' Rights at EFF
Categories
Popular Tags
AppSec blackhat Black Hat Black Hat Europe Black Hat USA Black Hat USA 2008 Black Hat USA 2009 BruCON BSides Calendar CanSecWest CanSecWest 2008 DeepSec DEFCON DEFCON 16 DEFCON 18 DNS Hacker Halted Hack in the Box HITB HOPE IEEE information security ISSA Jeremiah Grossman Microsoft OWASP RECON RSA RSA Conference RSA Conference 2008 RUXCON SANS Security BSides ShmooCon shmoocon 2010 SOUPS SOURCE SOURCE Boston The Last HOPE ToorCon USENIX WASC WhatWorks WhiteHat Security
Recent Commentators
Recent Visitors
Favorite Links
© Godai Group 2012
Home - Calendar - Communities - Training - Archives - Contact