Evil GIFs: Partial Same Origin Bypass with Hybrid Files

Many web sites allow users to upload different types of files, in particular GIF and other image files. During a recent webinar to promote the upcoming Black Hat briefings in Las Vegas, a group of hackers announced the creation of a hybrid file that can potentially bypass a browser’s same origin policy. They created a GIF file that also happens to be a JAR file ( a “GIFAR” file). Once uploaded onto a web site, and assuming the web server runs a JVM, it allows one to run a malicious java applet on someone else’s web server.

Details were not provided, since the hackers claim that Sun is still working on a patch. For more on hybrid (image) files as attack vectors, go to minute 41:23 of the webinar.

tags: ,
  • It would really be great if you could put a transcript in the post as opposed to visiting a Webinar.

    Text is easier to refer to and reference than audio.

    This could have had extreme consequences such as: malicious users uploading hybrid Logos to forums, blogs and social bookmarking member sites.

    The most extreme example would be infecting sites like Flickr or Digg. Or even creating blogs on sites like Blogspot for the sole purpose of uploading those images.

  • It’s unclear if this is a client-side or server-side exploit – you mention the same origin policy which suggests that the exploit is an applet that runs in a browser, but then you mention that the server needs a JVM which would mean code gets executed on the server. It seems more likely that this is a browser exploit as opposed to a code-executing-on-the-server exploit.