Bugged Files

Video in TIB AV-Portal: Bugged Files

Formal Metadata

Bugged Files
Is your document telling on you?
Title of Series
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Certain file formats, like Microsoft Word and PDF, are known to have features that allow for outbound requests to be made when the file opens. Other file formats allow for similar interactions but are not well-known for allowing such functionality. In this talk, we explore various file formats and their ability to make outbound requests, as well as what that means from a security and privacy perspective. Most interestingly, these techniques are not built on mistakes, but intentional design decisions, meaning that they will not be fixed as bugs. From data loss prevention to de-anonymization to request forgery to NTLM credential capture, this presentation will explore what it means to have files that communicate to various endpoints when opened. "unicornFurnace"
Category of being Group action Telecommunication Computer file Regular graph Information security
Web application Mobile app Focus (optics) File format Volume (thermodynamics) Right angle Cartesian coordinate system Information security Freezing
Complex (psychology) File format Multiplication sign Bit
Addition Parsing File format Variety (linguistics) Kolmogorov complexity Weight Multiplication sign Computer file File format Exploit (computer security) Bit Insertion loss Motion capture Information privacy Information privacy Software bug Type theory Message passing Digital rights management Different (Kate Ryan album) Personal digital assistant Information security Digital rights management Information security
Programmer (hardware) Latent heat Semiconductor memory File format Patch (Unix) Motion capture Error message Software bug
Haar measure Moment (mathematics) Virtual machine Window Software bug Cloning
Word Default (computer science) Message passing Hash function Link (knot theory) Haar measure Internetworking Hill differential equation Window Software bug Cloning
Medical imaging Haar measure File format Internetworking Personal digital assistant Computer file Interactive television
Haar measure File format Multiplication sign Ideal (ethics)
Default (computer science) Haar measure File format Web page MIDI Interactive television ACID Web browser Mereology Revision control Plane (geometry) Hypermedia Internet forum Videoconferencing Utility software Gastropod shell Window Address space Window
Ocean current Area Slide rule Keyboard shortcut Demo (music) Computer file File format 1 (number) PLS (file format)
Email File format Computer-generated imagery Keyboard shortcut Interactive television Open set Instance (computer science) Element (mathematics) Textsystem Internetworking Hypermedia Office suite Window
Area Focus (optics) Scheduling (computing) Email File format File format Interactive television Bit Basis <Mathematik> Web browser Lattice (order) Instance (computer science) Medical imaging Uniform resource locator Collaborative software Hypermedia Textsystem Hypermedia Videoconferencing Scheduling (computing) Family Window Probability density function
Probability density function Functional (mathematics) File format Multiplication sign View (database) Computer-generated imagery 1 (number) Group action Limit (category theory) Subset Embedded system Medical imaging Graphical user interface Hypermedia Electronic visual display Remote procedure call Block (periodic table) Probability density function
Scripting language Default (computer science) Functional (mathematics) Uniform resource locator Message passing Process (computing) Videoconferencing Web browser Probability density function
Addition Message passing Dot product Process (computing) Doubling the cube 1 (number) Shared memory Website Coma Berenices Probability density function Form (programming)
Proof theory Message passing Demo (music) File format Moment (mathematics) Electronic visual display Bit Coma Berenices
Default (computer science) Pixel Functional (mathematics) File format Line (geometry) Mereology Graph coloring Entire function Vector graphics Medical imaging SVG Vector space Different (Kate Ryan album) Internetworking Term (mathematics) Data structure Window
Default (computer science) Markup language File format Shared memory Schweizerische Physikalische Gesellschaft Mereology Formal language Subset Medical imaging Internetworking Remote procedure call Data structure Window
Latent heat Hypermedia File format Hypermedia File format Quicksort Remote procedure call Internetradio Window
Functional (mathematics) File system Interactive television Open set Remote procedure call System call Local ring Window
Hypermedia File format Hypermedia File format Electronic mailing list Interactive television Family Window
Scripting language Point (geometry) Trail Addition Touchscreen Code File format Closed set Content (media) Audio file format Instance (computer science) Web browser Metadata 2 (number) Uniform resource locator Word Function (mathematics) Videoconferencing Moving average Flag Electronic visual display Remote procedure call Digital rights management Resultant
Scripting language Default (computer science) Application service provider File format Web browser Cartesian coordinate system Web browser Uniform resource locator Function (mathematics) Videoconferencing Moving average Digital rights management Window
Functional (mathematics) Uniform resource locator Email Information File format Videoconferencing Encryption Energy level Family Entire function
Medical imaging Inclusion map Copyright infringement File format Personal digital assistant Source code Videoconferencing Remote procedure call Number
Axiom of choice Frame problem Pairwise comparison MP3 Link (knot theory) File format Block (periodic table) Moving average Quicksort Mereology Metadata
Type theory Link (knot theory) Length Series (mathematics) Quicksort Frame problem
Area Slide rule MIDI Type theory Uniform resource locator File format Content (media) Mereology Frame problem Number
Uniform resource locator Uniform resource locator Copyright infringement Client (computing) File Transfer Protocol Number
File Transfer Protocol Classical physics Exterior algebra Different (Kate Ryan album) Multiplication sign Communications protocol
Uniform resource locator Suite (music) Freeware File format File format Plastikkarte Virtualization Group action Router (computing) Mereology Address space
Plastikkarte Virtualization Client (computing) Lattice (order) Attribute grammar Number
Trail Functional (mathematics) Shared memory Plastikkarte Bit Remote procedure call Lattice (order) Parsing Local ring Address space Social engineering (security)
Uniform resource locator Coefficient of determination Type theory File format Real number File format Self-organization Parameter (computer programming) Förderverein International Co-Operative Studies
Uniform resource locator Type theory File format File format Cuboid Parameter (computer programming) Line (geometry) Quicksort Lattice (order) Event horizon Form (programming)
Type theory Uniform resource locator Different (Kate Ryan album) Moment (mathematics) 1 (number) Electronic visual display Cuboid Lattice (order) Procedural programming Food energy Reading (process)
File format Computer configuration Moment (mathematics) Bit Lattice (order) Procedural programming
Functional (mathematics) File format Bit Vector potential
Server (computing) System call Multiplication sign Chaos (cosmogony) Digital signal System call Bookmark (World Wide Web) Data management Word Message passing Theorem Right angle Digital rights management
Uniform resource locator System call Angle Insertion loss Computer Insertion loss Quicksort Filesharing-System Probability density function
Office suite Computer Theory
Area Probability density function Line (geometry) Real number Web browser Fiber bundle Quicksort Videoconferencing Control flow Cartesian coordinate system IP address Web browser
Medical imaging Virtual machine Remote procedure call Instance (computer science) System call
Server (computing) Server (computing) Computer file Virtual machine Motion capture Client (computing) Content (media) Mereology Number Revision control Hash function Personal digital assistant Password Software cracking Information security
Point (geometry) Server (computing) Random number generation Information Client (computing)
Authentication Exterior algebra Demo (music) Password Patch (Unix) Virtual machine
Slide rule Information Software Local area network Multiplication sign Firewall (computing) Quicksort Cartesian coordinate system Window Position operator
Authentication Default (computer science) Parsing File format Exploit (computer security) Bit Network-attached storage Web browser Flow separation Position operator Software Personal digital assistant Quicksort Writing Position operator Router (computing)
Firewall (computing) File format Surface Multiplication sign File format Set (mathematics) Moment of inertia Instance (computer science) Computer programming Electronic signature Revision control Medical imaging Mathematics Message passing Moment of inertia Personal digital assistant Energy level Bounded variation Probability density function
Point (geometry) Server (computing) Firewall (computing) File format Firewall (computing) Multiplication sign File format Coma Berenices Instance (computer science) Cartesian coordinate system Mereology Connected space Moment of inertia Personal digital assistant Point cloud Bounded variation Window Probability density function
Degree (graph theory) Information Multiplication sign
Proxy server Internetworking Function (mathematics) Instance (computer science) Coma Berenices Computer programming Metropolitan area network Power (physics)
Graphical user interface Mathematics Software Hooking Firewall (computing) Multiplication sign Direction (geometry) Control flow Self-organization Cartesian coordinate system Proxy server Computer programming
Web 2.0 Revision control Trail Goodness of fit File format output Quicksort Function (mathematics) Information privacy Arithmetic progression Software bug
Revision control Point (geometry) Coma Berenices Alpha (investment)
Revision control Default (computer science) Word Quicksort Rule of inference Measurement Window Metropolitan area network Connected space
Medical imaging Uniform resource locator Vector space File format Personal digital assistant Videoconferencing Quicksort 2 (number)
Revision control Laptop Uniform resource locator Inheritance (object-oriented programming)
right next to me then you'll probably and Damon Smith but they're both both security engineers for D. and C. C. group and they told me that it could not bring a unicorn today cares sorry they're gonna tell us about some special properties in regular files so exciting think the best primates right at your own
of as at a great microphone volume of it them
as a freeze stated and read at a bunch of files so but that today a quick introduction I and my name is Damon Smith as mentioned I am a security engineer working with NCC Group traditionally my focus has been Application security including web applications embedded devices mobile applications and more recently have started doing some some research on file formats with this lovely gentleman right here so I mostly worked I I'm also scary engineer with NCC Group and that I'm out by mostly like working with web applications though and
some time that itself end of file formats so was was move on just to to clarify a little bit this this talk is that is
focused in a particular way and we're gonna be talking about files a trigger outbound traffic when they're opened and we didn't want to look at executable formats because it's not really interesting for me to tell you that an executable can make outbound traffic when you open it because there's a lot of other nasty things they can do of course we didn't really have the title of it complex Madison simple formats or anything like that we were taking a look at what we've believe our very common formats and so we also
do you want to use any weights wouldn't wanna find
bugs in file passes we wanted to but use only the features of the passes and other formats that they're passing but and we also discuss the implications of all of us so
why should you listen to us talk at you for the next 15 minutes we think that the research that we've done is very important for a variety of different reasons the 1st and most obvious reason or the privacy implications of Imagen where we're going
to go over some of these use cases in a little bit more detail but for now imagine documents they can phone home every time you interact with and this can DRM data loss retention and of course the anonymizing uses in addition to the privacy aspect there's also some serious security concerns with these types of file formats which will go into a little bit later finally and I think most
importantly all of the things that were going to show you today are not bugs they're not a mistake that a programmer made they're not off by 1 errors are not memory corruption these are things that were written into the RFC there in the file format specification and they are working as
intended this is not something that's going to be fixed on Patch Tuesday these bugs are going to live for years so we start with a quick demonstration with 3 different formats RTF
SPG and W the a quick
prayer to the demagogues please so here I've
got to get Metasploit open just for the as capture and so
we've got this can everyone see that OK yes excellent so we've got this providing the standard challenge and dumping to file an and over here we have a victim machine we had several of our bug
documents and those running Windows 8 comma decimal 1 fully patched yes so we'll
open up this RTF file now something interesting happens here when we opened this but you can see in a
moment it's going to pop up a little dialog that says that this document
contains 1 or more links to other files-the 1 update this document with data from the Linked files I was really interesting about this is that it has already since the hashes along so worst warning message ever right here yeah I think probably they're looking for they they're looking to prevent bugs with that of the document attacking some positive but even if we say no it doesn't matter because the hashes body been sent in OK so the
bag so I'm just so there's nothing up my sleeve here in a
clear clear this and I will open up this SVG file by default on Windows as Fiji falls apart by Internet Explorer the so there's a bunch of fun things that you
can do with Internet Explorer regarding this and if we have time we'll discuss that a little bit and but here you see and I an image format
and of all things can can cause this interaction to occur so our example as file is blank but you could easily have whatever arbitrary image that you want show up so that people don't get suspicious absolutely so 190 now we've kind of set this up to knock it out of the park and it's not always gonna be as easy but in
this case since we it was not quite so easy to set up a demo for anti-land relaying which should be mostly with things would be useful we're going to go ahead and just crack
the passions that we've received and here we see that we've got be a throwaway account with the password of throw away so like I said we we set this 1 for ourselves but we we now just because somebody opened up a document that is you know not malformed it's like a well-formed
example of a format that is using its features you know everything is working as normal but this is normal so this is the ideal time people this is how it is supposed to work so it's just a lot of things that when put together don't work the way we really want them to do so and the last thing that I wanna show you here is
a Windows Media video file this is a slightly modified version of a video that
comes with Windows by default and as it turns out you can actually cause of interactions to occur
from a video and this is again this is part of the format and we will be discussing this later
on but we just had at launch a browser window but so that's lovely
so that concludes the demonstration and we're
gonna start talking about you know all the different formats that we have that we've got things on and down through the implications and so and what not so
continuing on from the demo I I'm probably should have hit hit play from current slide in a play from
starts so this is a prior work in this area and Daymond would would you undertake this delivers a prior work in this area this is not really a new technique were not pioneering this whole let's send until in Atlas and SMB and get
until ashes and this is something that's been known for a while there's a tool of the cul-de-sac attack which implements many of the ones you see
here and there's also a tool in displayed that's been around since 2008 but remember this problem still exists and we
kind of wanted to see like how how widespread is this and so it's already known that you can do this for the Office formats the office of an XML which is not confusing at all when compared to the Open Office XML format which is at it from a
different anyway the XML-based document formats but there are ways to with this and POS playlists lit by a shortcut files and I can read it to you but I think you guys can read them some other
silly things from Internet Explorer and HTML elements can reference as in the past and causes interaction happy so for instance in in Windows Media player you so
we're able to pop open a browser window using Windows Media a Windows Media video file so we can load that up to a URL which then has an image on an SMB resource and triggers that same auntie on interactions of the same thing can be done in HTML e-mails in Outlook so that's a little bit of the prior art in the
area what our research focus on so we focus on 3 families of formats and
document formats media formats and groupware formats or meeting and scheduling formats we wanted to look at file formats that your traditional
corporate employee under traditional corpora build is likely to open for instance PDF files that something in your average corporate employee is used to receiving their e-mail on a daily basis and will blindly double-click them without any thought so that's the that defines which file
formats we specifically looked at so 1 of the most obvious ones as pdf and
this was immediately something that we want to take a look at it it's a very complex format we knew there was going be something in there somewhere and that they're incredibly common PDF files so we spend a little time on this you can embed remote images in TTS as it turns out
and so this will just automatically go and fetch the image when opened and the interesting things is that this as a note these only work on Adobe Reader of most of the PDF readers out there I have a very limited subset of the PDF functionality available so Firefox and Chrome the view from Mac OS all these of support a limited subset of PDF functionality and these techniques don't work on them but fortunately or unfortunately depending on who you are so the remote image functionality that basically just grabs an image from a remote endpoint and displays it within the PDF and of course you have to reach out to a 3rd party to get that and if you're creating the PDF document you're choosing who you connect to
but there's also jobs script functionality in PDF switches you know what could go wrong but there is a method that allows you to open a of video player within a
PDF It's is insane that don't live imagine why you'd ever wanna do that but I can imagine why you might want to but I might new need substances 1st but regardless I just you know medium is not thinking of PDF in a way that other people are thinking of the US regardless you can open up a video from a third-party location and in the same and there's also a method that allows you to but just pop open a URL in the browser and in the default browser that is which is get URL and this you might be looking at this this warning message and wondering what's going on here and I'll I'll leave it to Damon to explain the nitty-gritty details behind that so as we mentioned it is possible to open up
as in the past within the jobs passing engine of PDF readers unfortunately does issue a warning message however when we were investigating this particular blood we found an interesting aspect is warning message on many of you are probably already familiar with you in the past which is something
like slash slash hostname slash share name slash file there is an additional form of unity that you may not be familiar with called long-form UNC that goes slash slash question mark slash hostnames slash N and slash pile I really know why that exist but as you can see from this morning message we actually confuse the PDF reader into thinking that the question mark was the host so we can cause you to connect to double dot dot sketchy attacker website dot com like PDF reader will instead say this document is trying to connect to home do you want to allow this I'm not
sure if that's more or less sketchy than saying that the bit that attacker dot com but had no it's a it's a neat you want this particular format so have fun with it we thought it was funny enough to include regardless of whether it's actually useful to anybody so the next moment that we have and 1 you've already seen a
demonstration of is the rich text format but very cool thing about the demo that you saw earlier in the proof of concept is that works in both WordPad in Microsoft Office so it doesn't matter if you're a victim has the Microsoft Office we installed or not if they double-click as
RTF file you will get the insulin credentials additionally as you saw during the demonstration it does put up a little warning message about linked files and you want a display them but it only displays that warning message after it has already seen Krenzel's to the attacker making it possibly the most useful use are useless warning message ever you also saw the year I
think so the other thing that we've already demonstrated is
STG which aims for Scalable Vector graphics and it is an image file format but it is for displaying vector images instead
of the traditional image formats which are used for Benetton images very quickly the difference between bit-mapped and vector graphics is bit-mapped roughly is a data structure that defines this pixel as this color and this transparency and all that and then it describes the next
pixel and the next pixel and the next pixel until it has built the entire image with vector graphics it describes the image in terms of vector functions so it says draw this line from here to here with this color so it's 2 different ways of encoding an image file an SPG as we mentioned during like demonstration by default on Windows is parts with Internet Explorer the fun thing
about SPG is the way that its structure it is a markup language very similar to HTML and it actually implements a subset of the HTML language and that as part of the SPG format 1 of the things that you're allowed to specify an SVG file a remote XML style sheets so I can say Lotus this cascading style sheet from this remote location and if you're using Internet Explorer which by default on Windows you are but it will accept file past so you can say for this image file I want you to download the style sheet from this remote SMB share which of course as you saw a demonstration leads to disclosure of insulin credentials additionally they can run JavaScript
did you your images could have JavaScript and no because that's insane that we took a look at
the various playlist formats as stated earlier in the talk POS as prior art that was not our discovery and that we found out that both 3 you which is closely tied to the M P 3 format and that insects which is more of a Windows Media specific playlist format both of those are also susceptible to this sort of the tomfoolery but so basically
all these playlist format support for you know of reasons of Internet radio and that sort of thing remote paths so obviously there's the the ability to make remote references interestingly and that now I think it's probably right on bring up
at that Windows is where UNC paths are handled in general but the same API call that is used to open a file from the local file system is the API it's the same API used to open UNC paths it just sort of at some point during
the the the function call but sees all this is actually UNC path let me handle this remotely in others like remote interactions so you don't necessarily need to write you went like SMB UNC whatever handling into your passer you just have to like use the standard way of interacting with the file system in your passer and Windows will make make this happen for you so
on Mosley's playlist formatted just it that there a simple and in in the case of for you at least as a list of items a list of past but to be
played so in all of these formats instead of specifying the file path you can specify UNC path and it will be the interaction certain interaction in the south previously or if you just wanna see when somebody
opens up your playlist you can embed a remote reference at the start so the next format that we looked at is actually a family of formats the ASF family formats which you were probably more familiar with as Windows Media
Video and Windows Media Audio but this was actually really interesting to us because who thought that your audio and video files could contain remote tracking code so this was actually kind of surprising result it comes courtesy of a friend of ours and Derek Hänsch flag days
so chat for introducing us to this technique the way that this is accomplished is by
embedding scripted metadata into an WMV word of you may file you have the ability to embed scripts in these video and audio file such that when playback reaches a specified point for instance 5 seconds and it will execute the contents of the script command this has traditionally been used to accomplish things like close captioning so you can have a display text on the screen when you reach the 32nd mark that corresponds to whatever the people onscreen or saying it 30 seconds that's more or less have closed captioning is implemented in this format however when you're looking at the script commands in addition to doing something like display text on-screen you also have this
really cool 1 called URL and axis which means open this specified URL in the default browser and halt playback as you saw during the demonstration this equates to you are watching a video file that you you know whatever video file I'm not gonna I'm not going to to speculate on what kind of video it is that's up to you but it was you get to the 32nd marked that's when a video starts with really interesting and bam it opens up your browser window to dubbed dub dot NSA dot gov slash you've been tracked wall so that's
that's or running into with these file formats yes your video files can contain embedded script commands and yes those script commands candy anonymize you which is really unfortunate additionally the at any that we've
postulated but have not yet proven is of using the built-in and functionality so to briefly describe how the works in this family of formats and it's actually quite simple it encrypts the entire video file and then in the header information it specifies if you want to watch this video file you need to go to this URL and download the decryption key that's more or less at a high level had the is implemented in these formats it's fairly
obvious that this can be used to track people unfortunately this is something that we haven't yet demonstrated because the the and is so horrible to work with the we can't even get working legitimately much less circumvented but look for that in the future that's probably technique that you there has been used by your adversaries or will be in the future but
additionally 1 quick notes subtitles they can include arbitrary HTML not just bold or italics or underline like you might expect in a subtitle but they can include things like image source equals sugo actually have subtitles and a video file their reference remote image I don't know why that's the case but I can also be used for tracking so the next format that
that we took a look at was M P 3 and this was obviously very interesting to us and you
know obviously there are a number of entities that are looking to crack down on piracy and so
this is ethylene interesting 1 for us but the thing is the M P 3 is actually a rather a simple format in comparison to some other formats and B 3 by itself doesn't actually include any metadata whatsoever but and this might seem confusing to you because you know obviously MP threes it you might not legitimately acquired and have of metadata and describing the artist the album all that sort of thing and as it turned out that actually a separate format called D
3 which is just sort of de-facto part of M P 3 now so it since and the 3 is basically just a series of fixed-length walks and say here's how you're going to interpret this block of data as audio neck you know coming up and then the the the block of audio data and repeat that until the end of the file and I D 3 was the obvious choice for going after this but 1 of the things we learned while doing this is that people don't always follow the RFCs when
creating something that is working with whatever technology a defining there is a there that so I D 3 is the way it's structured is a series of frames right
so use have sort of like here's the type of frame and here's the length and then here's the frame data right so there are 2 there were interesting to us the link frame and the apex frame link frame basically says the frame you're looking for is another castle and
so you go off and and fetch this frame from this other file here so I was like yes that's what I want and and then
there's also the picture frame which is attached pictures so you can say this picture is not here it's in another place go fetch it so the thing is no player that we looked at and we looked at a lot of them support either of these types of frames however when we found that you could do that the scripting content and WMA files and as it turns out you can just rename WMA file to . M P 3 and as long as it opens with Windows Media player it will be like all all this is this is named wrong here at all open this is a WMA file all all your mid open a URL so so to kind of cheating but if it's stupid and it works fitting stupid so there you are but you might be wondering why there's a picture of a fish on this slide but there's some whole area in the ID 3 or a C. as it turns out that as a part of pick frame you specify what type of picture is attached
and number 13 is a bright colored fish or whatever reason for another fun fact primers has its own innumerable like genre number in IT 3 so go Primus I guess so we also go to the Joint format and again you
know a lot and the looking to analyzed the pirates and torrenting for whatever reason they you know has has some ties with that and so this 1 is actually pretty easy because you
can have as many trackers as you want on that listed in within a torrent and when you open up the torrent it's going to check all of those trackers until it gets you know a certain number that are actually active so it's just going to visit URL after URL after URL and so you can get it to reach out to however many different places you want but and since people tend to open up Torrance and
then just kind of leave them going for a while the fact that it takes a long time to step through doesn't really make that big of a difference the other thing that we saw that wasn't really implemented in any Tory-inclined we notice that the we tried was URL seeds so this was pitched as an alternative to the classic BitTorrent protocols seed you can have http see you can have FTP seeds which of you know if you have nothing in this swarm he have no active seeds this is the way that you can get the
data initially right but we didn't find anything that supports this and so we weren't able to do you know FTP or any other funky URI handler we're hoping for file because again we could get the until when but that's not something we ought However in I can do
something like initiate a whole bunch of you about HTTP requests from wherever your opening a file so if I want to try to explicate let's say every Ceasar flaw in home routers for the past 5 10 years using a torrent file I can do that so that's interesting so the next 1 that we got a win on is the V card format this is using for exchanging virtual business cards between
users of for example Outlook which is part of the Microsoft Office suite so that the card format is used for a changing of business cards like I mentioned it has a lot of the obvious field such as what is the person's name what is the person's e-mail address
what is their phone number all that stuff that you would expect it also has some things that you might not expect at least not at 1st 1 of the attributes that it supports that we found it very useful is the free busy URL when me briefly describe this is used for so let's say that I exchanged my virtual business card with and and would like to set up a meeting with me when opens up his calendar client says I want to schedule a meeting with payments Smith his countering agent will
automatically go to my free busy URL and say OK is day busy at three o'clock this damage that this year for Clarke et cetera et cetera that is the proper
functionality of the free busy oral but that's obviously that's that's able to track people over HTTP what is perhaps not so obvious I still don't understand why it's implemented this way you can include a UNC path as a free busy URL so I'm telling dance calendering agent if you wanna find out when I'm free you need to connect to this remote SMB share and download it from there which is completely insane and I can imagine why this is allowed in the parser but it's definitely allowed and it definitely largely to stealing tion credentials the annotator explain it away like well it's OK you get local file Patzert specify when somebody else's for busy they add it doesn't make
any sense like it's kind of a lot of it's it does take a little bit of social social engineering are protecting to get this to work not only do you have to get the victim to accept the virtual card and added to the address book you then have to convince them to attempt to schedule a meeting with you so it's perhaps not the easiest to Floyd but if you've got some still the social engineering which I'm sure some in the crowd do you could probably pull it off the next
only looked at we include this for posterity and for of hilarity because
ICS is kind of a fun read if you take the see well I guess if you like to be in our seas so but also many organic dog if you're
ever writing a file pasta they're actually 3 critical steps you have to follow step 1 is to read the entire RFC for whatever file format you're designing for step 2 is to take the RFC and
light it on fire and step 3 is to do whatever the hell you want and completely ignore the RFC truth real talk so so the way in which this
this manifests for ICS and there's a particular line of the ICSI was actually very easy to read if you just pop 1 open you start immediately understanding sort of how the file is structured and it's 1 of those great file formats and you can kind of understand intuitively by looking at it which is great but 1 of the other things is the along which defines the warm but that is associated
with a given meeting request or calendar event so 1 interesting thing about this is that this is actually defined by the meeting request sender not the receiver and so in you can have multiple forms so 1 thing that you can do which is really hilarious is to set up a meeting with somebody in 2 days and set off an alarm to pop up a pop-up box and you know play a sound every minute until then and search that had defending on your year
calories region it might automatically accept the meeting invite as well which is hilarious so
the denial sleep attack near so so I
start reading so I'm reading this RFC it's
late I've probably had something to drink of almost certainly had something to drink and I'm looking at this and I'm looking through the different types of alarms there's 4 there's a 2 you know perfectly reasonable ones there's 1 it's like wall display popup a pop up box alarm like make some sound whenever I don't care audio which is like go to this URL download this sound and play that might rule that that could be nice and then the 4th 1 just like you know it's it's like us that take moment it's like just it's called procedure just run this command with these parameters like
the light so here is the heart
breaking things or the really relieving thing depending on who you are it doesn't work in any calendar is a region that we looked at it doesn't work in any of them I'm just imagining somebody implementing
it and like literacy is no no few that's that's the light the RFC on fire moment right there so not even of the
successor to because this is the calendar format not even the successor to I calendar supports this but it had it I mean it does you have to define a meeting yourself and I got a little bit excited when I created something that used to procedure all because it pops up this box like do you wanna accept this and the options instead of being like yes or no are like no and no you know I don't even import this at all some like yes Hill please brew know or no harder to no Cahill no or more no so unfortunately this is
not a usable technique but it's just it's a funny thing and I can't believe that this was an idea that somebody had an like wrote it down and the shared it because I just I just I don't even understand that there you have it so talking about a potential
use or misuse so we've discussed the formats that make this possible now it's discuss a little bit about why anyone would care why would anyone want to abuse this functionality the 1st and perhaps the most obvious implication that we can think of
is Digital Rights Management 1 of our favorite word that chaos camper my right we all of the ImageNet dystopian future Dr and that means every time a particular file is opened calls home to a remote server to track that that file has been opened this goes beyond traditional the whose sole purpose is to dissuade you from opening a file when you don't have the right to open at this goes beyond that it goes into identifying the people that are attempting to open these files this is a lot more dangerous than the theorem that we have today and this is something that can be done today in today's file
passes this is something we haven't seen it done but it's it's something that I think we should all be a little bit afraid of to be fair we have looked very hard to see if
this is being done fear uncertainty and doubt on all of you have so there's also that sort of a
data loss prevention angle to this and there's there's 2 there's sort of 2 sides to this 1 is like I don't want somebody to steal my sensitive documents so I'm going to put like salaries 2016 dot pdf up on
this file share of secret documents and nobody should ever openness but if it does get open then you know at at this URL the other side is let's say that you were a fascist government and you want to keep people from whistle-blowing and you could use these techniques in
theory to prevent people from being able to do that at least easily without being identified and we can imagine that you know somebody exel traits of a document that is of value to be put in the public knowledge and the document calls home from every place it's open from your computer you were computer your home computer but a lawyer's office a friend's home and then everybody disappears right that's this is I think the thing that scares me most about all of this is this is this potential misuse to another
that is fairly obvious is D. anonymization so if you ever use the
Tor Browser bundle raise your hand just kidding don't do that don't tell anyone these yet idea today so you have areas that or as a bundle and you've ever downloaded a file via the browser it pops up this great little warning dialog that says note if you open this file they could easily D. anonymize you and tell bad people what your real IP addresses don't do it this research is why that
warning dialog exists they know that the self as possible but they are trying to warn you eat it it to be cleared this this warning
existed before are easiest assist this technique this title this sort of I sort of ideas why that warning exists some want into application of this
for instance a government agency you may not have administrative control over that you have as witty and you may not be able to track its users but let's say you upload a PDF file call how to make a bomb in 3 easy steps and it has a remote image URL embedded in it so that everyone it opens the PDF file you now know who they are and that they wanna make a bomb in 3 easy steps so we we
discussed this prettier or at least we showed this and focused on this fairly extensively just because you know if you can take over some machine if you can get somebody's credentials then there's a lot more
that you can do that but you know this is I think a pretty important part of this is that you you can actually affect the security of the machine you can get credentials and and pass them along
more were cracks them and just in case somebody it there's somebody in the audience is not quite familiar with insulin relaying attacks on the go over it very briefly so normal and he until often
occasions but at least version 2 but you as a client Sarah server hey i'd like to authenticate and get access to whatever it is you've got there the server says OK here's this number I need you to mix this in cryptographically with your password hash and send them back to the client does so
the returns that value the server which then decides based on does is match up with the information they have should this person be allowed access now the problem here is that while the client is authenticated the server is not so there's
nothing that there is nothing in this on negotiation that ties all this data to a particular server except the nonce but that that
random number so if as an attacker you
can get a client to attempt to authenticate you you can just pass that information along until you get to the point where you gain access and you tell the client no sorry that didn't work would you like to try again and then you pass it somewhere else so
will you we in our demo we had a password
that was easily cracked it was like you know 2 seconds but if that this is an alternative to that where you passed the credentials along without having to crack them so anything that the the person attending to indicate to you knowingly or not always trying to gain access whatever they
can gain access to with their credentials you can now gain access to because of the way that until works it's worth noting that as of the most recent actually been quite a while back the patch this is no longer possible to relay authentication back to the same machine that off that initiated deliriously before I think
Windows 2000 maybe XB you could have someone at 2 of them OK with you pass the exact same application information back to their machine and other to them so that's been fixed for a long time now so we we
discussed briefly the of the fact that you're sending with these documents when you're initiating of and requests it's coming from a poet privilege network position your behind that you're behind whatever firewall might be in place and then you can exploit all sorts of interesting things that of you know maybe assume that
if you're on the local network you're totally fine but so this this slide probably could be renamed so see Cerf assumes some
sort of authentication of given session that you're writing on is cases that that that is absolutely the case as you saw in previous demonstrations of several of these
techniques of these formats of the parsers will actually just pop pop open the default browser on ends and work from there and if you can do that then you can write on authenticated sessions but that might exist with the default browser but even without that you're still coming from and up probably a privileged network position when somebody's opening a document so
we've tone you what the problem is we told you how can be abuse let's talk a little bit about what we thought about how to fix it possible mitigations because there really isn't a silver bullet there isn't a perfect solution to this war in a go over what we
thought of and why it's not necessarily great solution the 1st and perhaps most obvious is anti-virus all the techniques that reusing
have fairly standard signatures so if I bargain RTF file it is possible for a program to analyze an RTF file and tell that it's been bought unfortunately there are so many formatted this is possible for we really only scratched the surface
there is no way that baby can reliably cover every format that has the ability to be bold additionally some of the techniques that we've used have legitimate use cases there may be a legitimate reason to embed a remote image in a PDF or for instance a playlist file there are legitimate reasons for a playlist file to have remote file and otherwise it would be kind of boring playlist I guess so all these both of these issues are things that prevent forming an effective mitigation but let's talk about the format changes so some of these formats they're not necessarily legitimate use cases fervor opening the set of U R L's so this change the format to prevent that unfortunately time and time again in our industry it's been proven that that's just not possible you have to maintain a certain level of backwards compatibility there are too many people using these formats to me people using these passes and too many files that have been created with older versions for us to be able to change the format there's just too much inertia behind how these things are already design finally in my opinion the best
mitigation we've come up with yet application-level firewalls on these are things like on Windows ZoneAlarm or on
OSX little snatch or on Linux is that Lotus flower leopard cloud leopard
flour so what these do is every time an application attempts to initiate a
connection this firewall will notify you and say hey you're PDF reader is trying to connect to attack a dot com do you want to allow this this is a pretty good mitigation for the vast majority of file formats for instance it it will never be the case that I want WordPad to connect to a remote server so I can say deny deny deny it my WordPad is trying to connect to a remote server however for play was formats like M 3 you that's kind of the whole point is that they connect to remote servers to you can't reliably say application firewall fixes everything and as a panacea yeah that the part the reason they were talking
about like all these different mitigations and how they do or don't work to various degrees
as as as we we don't have a good solution for this we don't we don't have a a fixed were described trying to like put more fuel on the fire and to another thing we talked it we we thought about its warnings and and this goes you know they obviously there's some use to warnings and and some people will click through but you'll least of put be putting more information in the hands of the user but obviously people click-through warnings a lot of the time so this is not necessarily helpful at all and
but it might at least get you to stop and say well hold on that maybe this is not something I wanna do so you're at least putting more power to the user but I do you could also do something to
just shut off networking capabilities for particular programs in general and you know for instance that the man made the example that with WordPad UTI public I personally and Damon apparently personally
don't want WordPad ever communicate with the Internet except maybe like if it has to communicate to suffer a update of Microsoft dot com that standard DOS just never just never at all and
so for something like that it's easy but it's it has the same problems as application of a fire walls the other thing is attempting to hook network calls in some programs is a lot cleaner than in others and certain things proxy change what is completely break because it was a Chrome your own disables the LD
preload directive so you can't use proxy chains against chroma these the last time I tried it but there's also offering this is a good that this is a good partial solution and this will at least prevent things like outbound SMB traffic leaving your organization nor your home
you know this is something that's a good idea and general stages filtering but but again you still need to let some things through so you might be letting you know web traffic through and that sort of the way that a lot of that the privacy violating tracking stuff
but we're able to do that so if you think this stuff is cool and you wanna play with it yourself into your hands dirty we have exactly what you want we have created a tool that accepts as input all the various formats that we
support and will as output a bug version of that same file it's still a work in progress
it's like version 0 0 0 negative 1 alpha i additionally it's not yet on get higher thing because we are using Lynn Reddy from this entire week and we haven't had
couldn't Eqn activity so it will be on within the next 1 to 2 weeks if you wanna download this
thing and surviving your own files FIL and
at this point and were going to open it up for questions the around the world of questions anybody over there on the mike us see some I brittle problem takes us find any
issues with the whole file handlers serve when well when Windows gives a preview on OS X gives a preview files did you find that would also initiate connections but 2 ever so the question that the the question is did default
file-handling rules of proved to be any effective measure against this word did they get in our way of doing this sort of thing or is that is that is that a man sting you right these are all really when you open when you click on a file but there are in the file in Windows for for example you have a preview the file without actually opening a full version of what a Dutch and so this so you asking if that the previews also
vulnerable to this sort of thing yeah that's not something we've tested I can imagine for certain vectors it I can certainly postulate like SVG files it would be very likely that that would be vulnerable because you can't properly display the
image without unloading the style sheets so I would say probably varies by format and I would say we can't say authoritatively whether or not that's the case yeah we can we can say with some some certainty that certain some of them are likely to work even with preview so anything that you have to visually render probably it will
work anything like that so like a video file where 5 seconds in it the inner launches a URL that's almost certainly not going to work right I can say pretty certain pre certainly that's not going to work but as previously stated we haven't tested it so we can't say perforant out on your own once we get the tool online thanks tears any other questions or did we just covered
so well that nobody has any
uncertainty left in their hearts but this will and yes
for daily that 1 side to the get of your going copy it down and we super duper promise that it will be there and 1 to 2 weeks we have a somewhat working version on our laptops but we have not yet found the person with NCC Group that knows how to put things in this URL but we will find that person in 1 to 2
weeks and then it will be there if all
right thank you 10 and then you but thank you thank you all for listening


  460 ms - page object


AV-Portal 3.20.1 (bea96f1033d39fbe77f82542458e108105398441)