Mon

Jun 30
2008

Ben Lorica

Ben Lorica

Evil GIFs: Partial Same Origin Bypass with Hybrid Files

Many web sites allow users to upload different types of files, in particular GIF and other image files. During a recent webinar to promote the upcoming Black Hat briefings in Las Vegas, a group of hackers announced the creation of a hybrid file that can potentially bypass a browser's same origin policy. They created a GIF file that also happens to be a JAR file ( a "GIFAR" file). Once uploaded onto a web site, and assuming the web server runs a JVM, it allows one to run a malicious java applet on someone else's web server.

Details were not provided, since the hackers claim that Sun is still working on a patch. For more on hybrid (image) files as attack vectors, go to minute 41:23 of the webinar.


tags: black hat, security  | comments: 2   | Sphere It
submit:

 
Previous  |  Next

0 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/6584

Comments: 2

  PR AD [07.01.08 12:44 AM]

It would really be great if you could put a transcript in the post as opposed to visiting a Webinar.

Text is easier to refer to and reference than audio.

This could have had extreme consequences such as: malicious users uploading hybrid Logos to forums, blogs and social bookmarking member sites.

The most extreme example would be infecting sites like Flickr or Digg. Or even creating blogs on sites like Blogspot for the sole purpose of uploading those images.

  Simon Willison [07.01.08 04:07 AM]

It's unclear if this is a client-side or server-side exploit - you mention the same origin policy which suggests that the exploit is an applet that runs in a browser, but then you mention that the server needs a JVM which would mean code gets executed on the server. It seems more likely that this is a browser exploit as opposed to a code-executing-on-the-server exploit.

Post A Comment:

 (please be patient, comments may take awhile to post)






Type the characters you see in the picture above.