Add to Watchlist

Bugged Files

0 views

Citation of segment
Embed Code
Purchasing a DVD Cite video

Formal Metadata

Title Bugged Files
Subtitle Is your document telling on you?
Title of Series Chaos Communication Camp 2015
Number of Parts 85
Author Crowley, Daniel
License CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
DOI 10.5446/38065
Publisher Chaos Computer Club e.V.
Release Date 2015
Language English

Content Metadata

Subject Area Computer Science
Abstract Certain file formats, like Microsoft Word and PDF, are known to have features that allow for outbound requests to be made when the file opens. Other file formats allow for similar interactions but are not well-known for allowing such functionality. In this talk, we explore various file formats and their ability to make outbound requests, as well as what that means from a security and privacy perspective. Most interestingly, these techniques are not built on mistakes, but intentional design decisions, meaning that they will not be fixed as bugs. From data loss prevention to de-anonymization to request forgery to NTLM credential capture, this presentation will explore what it means to have files that communicate to various endpoints when opened. "unicornFurnace"
Series
Annotations
Transcript
Loading...
right next to me then you'll probably and Damon Smith but they're both both security engineers for D. and C. C. group and they told me that it could not bring a unicorn today cares sorry they're gonna tell us about some special properties in regular files so exciting think the best primates right at your own
of as at a great microphone volume of it them
as a freeze stated and read at a bunch of files so but that today a quick introduction I and my name is Damon Smith as mentioned I am a security engineer working with NCC Group traditionally my focus has been Application security including web applications embedded devices mobile applications and more recently have started doing some some research on file formats with this lovely gentleman right here so I mostly worked I I'm also scary engineer with NCC Group and that I'm out by mostly like working with web applications though and
some time that itself end of file formats so was was move on just to to clarify a little bit this this talk is that is
focused in a particular way and we're gonna be talking about files a trigger outbound traffic when they're opened and we didn't want to look at executable formats because it's not really interesting for me to tell you that an executable can make outbound traffic when you open it because there's a lot of other nasty things they can do of course we didn't really have the title of it complex Madison simple formats or anything like that we were taking a look at what we've believe our very common formats and so we also
do you want to use any weights wouldn't wanna find
bugs in file passes we wanted to but use only the features of the passes and other formats that they're passing but and we also discuss the implications of all of us so
why should you listen to us talk at you for the next 15 minutes we think that the research that we've done is very important for a variety of different reasons the 1st and most obvious reason or the privacy implications of Imagen where we're going
to go over some of these use cases in a little bit more detail but for now imagine documents they can phone home every time you interact with and this can DRM data loss retention and of course the anonymizing uses in addition to the privacy aspect there's also some serious security concerns with these types of file formats which will go into a little bit later finally and I think most
importantly all of the things that were going to show you today are not bugs they're not a mistake that a programmer made they're not off by 1 errors are not memory corruption these are things that were written into the RFC there in the file format specification and they are working as
intended this is not something that's going to be fixed on Patch Tuesday these bugs are going to live for years so we start with a quick demonstration with 3 different formats RTF
SPG and W the a quick
prayer to the demagogues please so here I've
got to get Metasploit open just for the as capture and so
we've got this can everyone see that OK yes excellent so we've got this providing the standard challenge and dumping to file an and over here we have a victim machine we had several of our bug
documents and those running Windows 8 comma decimal 1 fully patched yes so we'll
open up this RTF file now something interesting happens here when we opened this but you can see in a
moment it's going to pop up a little dialog that says that this document
contains 1 or more links to other files-the 1 update this document with data from the Linked files I was really interesting about this is that it has already since the hashes along so worst warning message ever right here yeah I think probably they're looking for they they're looking to prevent bugs with that of the document attacking some positive but even if we say no it doesn't matter because the hashes body been sent in OK so the
bag so I'm just so there's nothing up my sleeve here in a
clear clear this and I will open up this SVG file by default on Windows as Fiji falls apart by Internet Explorer the so there's a bunch of fun things that you
can do with Internet Explorer regarding this and if we have time we'll discuss that a little bit and but here you see and I an image format
and of all things can can cause this interaction to occur so our example as file is blank but you could easily have whatever arbitrary image that you want show up so that people don't get suspicious absolutely so 190 now we've kind of set this up to knock it out of the park and it's not always gonna be as easy but in
this case since we it was not quite so easy to set up a demo for anti-land relaying which should be mostly with things would be useful we're going to go ahead and just crack
the passions that we've received and here we see that we've got be a throwaway account with the password of throw away so like I said we we set this 1 for ourselves but we we now just because somebody opened up a document that is you know not malformed it's like a well-formed
example of a format that is using its features you know everything is working as normal but this is normal so this is the ideal time people this is how it is supposed to work so it's just a lot of things that when put together don't work the way we really want them to do so and the last thing that I wanna show you here is
a Windows Media video file this is a slightly modified version of a video that
comes with Windows by default and as it turns out you can actually cause of interactions to occur
from a video and this is again this is part of the format and we will be discussing this later
on but we just had at launch a browser window but so that's lovely
so that concludes the demonstration and we're
gonna start talking about you know all the different formats that we have that we've got things on and down through the implications and so and what not so
continuing on from the demo I I'm probably should have hit hit play from current slide in a play from
starts so this is a prior work in this area and Daymond would would you undertake this delivers a prior work in this area this is not really a new technique were not pioneering this whole let's send until in Atlas and SMB and get
until ashes and this is something that's been known for a while there's a tool of the cul-de-sac attack which implements many of the ones you see
here and there's also a tool in displayed that's been around since 2008 but remember this problem still exists and we
kind of wanted to see like how how widespread is this and so it's already known that you can do this for the Office formats the office of an XML which is not confusing at all when compared to the Open Office XML format which is at it from a
different anyway the XML-based document formats but there are ways to with this and POS playlists lit by a shortcut files and I can read it to you but I think you guys can read them some other
silly things from Internet Explorer and HTML elements can reference as in the past and causes interaction happy so for instance in in Windows Media player you so
we're able to pop open a browser window using Windows Media a Windows Media video file so we can load that up to a URL which then has an image on an SMB resource and triggers that same auntie on interactions of the same thing can be done in HTML e-mails in Outlook so that's a little bit of the prior art in the
area what our research focus on so we focus on 3 families of formats and
document formats media formats and groupware formats or meeting and scheduling formats we wanted to look at file formats that your traditional
corporate employee under traditional corpora build is likely to open for instance PDF files that something in your average corporate employee is used to receiving their e-mail on a daily basis and will blindly double-click them without any thought so that's the that defines which file
formats we specifically looked at so 1 of the most obvious ones as pdf and
this was immediately something that we want to take a look at it it's a very complex format we knew there was going be something in there somewhere and that they're incredibly common PDF files so we spend a little time on this you can embed remote images in TTS as it turns out
and so this will just automatically go and fetch the image when opened and the interesting things is that this as a note these only work on Adobe Reader of most of the PDF readers out there I have a very limited subset of the PDF functionality available so Firefox and Chrome the view from Mac OS all these of support a limited subset of PDF functionality and these techniques don't work on them but fortunately or unfortunately depending on who you are so the remote image functionality that basically just grabs an image from a remote endpoint and displays it within the PDF and of course you have to reach out to a 3rd party to get that and if you're creating the PDF document you're choosing who you connect to
but there's also jobs script functionality in PDF switches you know what could go wrong but there is a method that allows you to open a of video player within a
PDF It's is insane that don't live imagine why you'd ever wanna do that but I can imagine why you might want to but I might new need substances 1st but regardless I just you know medium is not thinking of PDF in a way that other people are thinking of the US regardless you can open up a video from a third-party location and in the same and there's also a method that allows you to but just pop open a URL in the browser and in the default browser that is which is get URL and this you might be looking at this this warning message and wondering what's going on here and I'll I'll leave it to Damon to explain the nitty-gritty details behind that so as we mentioned it is possible to open up
as in the past within the jobs passing engine of PDF readers unfortunately does issue a warning message however when we were investigating this particular blood we found an interesting aspect is warning message on many of you are probably already familiar with you in the past which is something
like slash slash hostname slash share name slash file there is an additional form of unity that you may not be familiar with called long-form UNC that goes slash slash question mark slash hostnames slash N and slash pile I really know why that exist but as you can see from this morning message we actually confuse the PDF reader into thinking that the question mark was the host so we can cause you to connect to double dot dot sketchy attacker website dot com like PDF reader will instead say this document is trying to connect to home do you want to allow this I'm not
sure if that's more or less sketchy than saying that the bit that attacker dot com but had no it's a it's a neat you want this particular format so have fun with it we thought it was funny enough to include regardless of whether it's actually useful to anybody so the next moment that we have and 1 you've already seen a
demonstration of is the rich text format but very cool thing about the demo that you saw earlier in the proof of concept is that works in both WordPad in Microsoft Office so it doesn't matter if you're a victim has the Microsoft Office we installed or not if they double-click as
RTF file you will get the insulin credentials additionally as you saw during the demonstration it does put up a little warning message about linked files and you want a display them but it only displays that warning message after it has already seen Krenzel's to the attacker making it possibly the most useful use are useless warning message ever you also saw the year I
think so the other thing that we've already demonstrated is
STG which aims for Scalable Vector graphics and it is an image file format but it is for displaying vector images instead
of the traditional image formats which are used for Benetton images very quickly the difference between bit-mapped and vector graphics is bit-mapped roughly is a data structure that defines this pixel as this color and this transparency and all that and then it describes the next
pixel and the next pixel and the next pixel until it has built the entire image with vector graphics it describes the image in terms of vector functions so it says draw this line from here to here with this color so it's 2 different ways of encoding an image file an SPG as we mentioned during like demonstration by default on Windows is parts with Internet Explorer the fun thing
about SPG is the way that its structure it is a markup language very similar to HTML and it actually implements a subset of the HTML language and that as part of the SPG format 1 of the things that you're allowed to specify an SVG file a remote XML style sheets so I can say Lotus this cascading style sheet from this remote location and if you're using Internet Explorer which by default on Windows you are but it will accept file past so you can say for this image file I want you to download the style sheet from this remote SMB share which of course as you saw a demonstration leads to disclosure of insulin credentials additionally they can run JavaScript
did you your images could have JavaScript and no because that's insane that we took a look at
the various playlist formats as stated earlier in the talk POS as prior art that was not our discovery and that we found out that both 3 you which is closely tied to the M P 3 format and that insects which is more of a Windows Media specific playlist format both of those are also susceptible to this sort of the tomfoolery but so basically
all these playlist format support for you know of reasons of Internet radio and that sort of thing remote paths so obviously there's the the ability to make remote references interestingly and that now I think it's probably right on bring up
at that Windows is where UNC paths are handled in general but the same API call that is used to open a file from the local file system is the API it's the same API used to open UNC paths it just sort of at some point during
the the the function call but sees all this is actually UNC path let me handle this remotely in others like remote interactions so you don't necessarily need to write you went like SMB UNC whatever handling into your passer you just have to like use the standard way of interacting with the file system in your passer and Windows will make make this happen for you so
on Mosley's playlist formatted just it that there a simple and in in the case of for you at least as a list of items a list of past but to be
played so in all of these formats instead of specifying the file path you can specify UNC path and it will be the interaction certain interaction in the south previously or if you just wanna see when somebody
opens up your playlist you can embed a remote reference at the start so the next format that we looked at is actually a family of formats the ASF family formats which you were probably more familiar with as Windows Media
Video and Windows Media Audio but this was actually really interesting to us because who thought that your audio and video files could contain remote tracking code so this was actually kind of surprising result it comes courtesy of a friend of ours and Derek Hänsch flag days
so chat for introducing us to this technique the way that this is accomplished is by
embedding scripted metadata into an WMV word of you may file you have the ability to embed scripts in these video and audio file such that when playback reaches a specified point for instance 5 seconds and it will execute the contents of the script command this has traditionally been used to accomplish things like close captioning so you can have a display text on the screen when you reach the 32nd mark that corresponds to whatever the people onscreen or saying it 30 seconds that's more or less have closed captioning is implemented in this format however when you're looking at the script commands in addition to doing something like display text on-screen you also have this
really cool 1 called URL and axis which means open this specified URL in the default browser and halt playback as you saw during the demonstration this equates to you are watching a video file that you you know whatever video file I'm not gonna I'm not going to to speculate on what kind of video it is that's up to you but it was you get to the 32nd marked that's when a video starts with really interesting and bam it opens up your browser window to dubbed dub dot NSA dot gov slash you've been tracked wall so that's
that's or running into with these file formats yes your video files can contain embedded script commands and yes those script commands candy anonymize you which is really unfortunate additionally the at any that we've
postulated but have not yet proven is of using the built-in and functionality so to briefly describe how the works in this family of formats and it's actually quite simple it encrypts the entire video file and then in the header information it specifies if you want to watch this video file you need to go to this URL and download the decryption key that's more or less at a high level had the is implemented in these formats it's fairly
obvious that this can be used to track people unfortunately this is something that we haven't yet demonstrated because the the and is so horrible to work with the we can't even get working legitimately much less circumvented but look for that in the future that's probably technique that you there has been used by your adversaries or will be in the future but
additionally 1 quick notes subtitles they can include arbitrary HTML not just bold or italics or underline like you might expect in a subtitle but they can include things like image source equals sugo actually have subtitles and a video file their reference remote image I don't know why that's the case but I can also be used for tracking so the next format that
that we took a look at was M P 3 and this was obviously very interesting to us and you
know obviously there are a number of entities that are looking to crack down on piracy and so
this is ethylene interesting 1 for us but the thing is the M P 3 is actually a rather a simple format in comparison to some other formats and B 3 by itself doesn't actually include any metadata whatsoever but and this might seem confusing to you because you know obviously MP threes it you might not legitimately acquired and have of metadata and describing the artist the album all that sort of thing and as it turned out that actually a separate format called D
3 which is just sort of de-facto part of M P 3 now so it since and the 3 is basically just a series of fixed-length walks and say here's how you're going to interpret this block of data as audio neck you know coming up and then the the the block of audio data and repeat that until the end of the file and I D 3 was the obvious choice for going after this but 1 of the things we learned while doing this is that people don't always follow the RFCs when
creating something that is working with whatever technology a defining there is a there that so I D 3 is the way it's structured is a series of frames right
so use have sort of like here's the type of frame and here's the length and then here's the frame data right so there are 2 there were interesting to us the link frame and the apex frame link frame basically says the frame you're looking for is another castle and
so you go off and and fetch this frame from this other file here so I was like yes that's what I want and and then
there's also the picture frame which is attached pictures so you can say this picture is not here it's in another place go fetch it so the thing is no player that we looked at and we looked at a lot of them support either of these types of frames however when we found that you could do that the scripting content and WMA files and as it turns out you can just rename WMA file to . M P 3 and as long as it opens with Windows Media player it will be like all all this is this is named wrong here at all open this is a WMA file all all your mid open a URL so so to kind of cheating but if it's stupid and it works fitting stupid so there you are but you might be wondering why there's a picture of a fish on this slide but there's some whole area in the ID 3 or a C. as it turns out that as a part of pick frame you specify what type of picture is attached
and number 13 is a bright colored fish or whatever reason for another fun fact primers has its own innumerable like genre number in IT 3 so go Primus I guess so we also go to the Joint format and again you
know a lot and the looking to analyzed the pirates and torrenting for whatever reason they you know has has some ties with that and so this 1 is actually pretty easy because you
can have as many trackers as you want on that listed in within a torrent and when you open up the torrent it's going to check all of those trackers until it gets you know a certain number that are actually active so it's just going to visit URL after URL after URL and so you can get it to reach out to however many different places you want but and since people tend to open up Torrance and
then just kind of leave them going for a while the fact that it takes a long time to step through doesn't really make that big of a difference the other thing that we saw that wasn't really implemented in any Tory-inclined we notice that the we tried was URL seeds so this was pitched as an alternative to the classic BitTorrent protocols seed you can have http see you can have FTP seeds which of you know if you have nothing in this swarm he have no active seeds this is the way that you can get the
data initially right but we didn't find anything that supports this and so we weren't able to do you know FTP or any other funky URI handler we're hoping for file because again we could get the until when but that's not something we ought However in I can do
something like initiate a whole bunch of you about HTTP requests from wherever your opening a file so if I want to try to explicate let's say every Ceasar flaw in home routers for the past 5 10 years using a torrent file I can do that so that's interesting so the next 1 that we got a win on is the V card format this is using for exchanging virtual business cards between
users of for example Outlook which is part of the Microsoft Office suite so that the card format is used for a changing of business cards like I mentioned it has a lot of the obvious field such as what is the person's name what is the person's e-mail address
what is their phone number all that stuff that you would expect it also has some things that you might not expect at least not at 1st 1 of the attributes that it supports that we found it very useful is the free busy URL when me briefly describe this is used for so let's say that I exchanged my virtual business card with and and would like to set up a meeting with me when opens up his calendar client says I want to schedule a meeting with payments Smith his countering agent will
automatically go to my free busy URL and say OK is day busy at three o'clock this damage that this year for Clarke et cetera et cetera that is the proper
functionality of the free busy oral but that's obviously that's that's able to track people over HTTP what is perhaps not so obvious I still don't understand why it's implemented this way you can include a UNC path as a free busy URL so I'm telling dance calendering agent if you wanna find out when I'm free you need to connect to this remote SMB share and download it from there which is completely insane and I can imagine why this is allowed in the parser but it's definitely allowed and it definitely largely to stealing tion credentials the annotator explain it away like well it's OK you get local file Patzert specify when somebody else's for busy they add it doesn't make
any sense like it's kind of a lot of it's it does take a little bit of social social engineering are protecting to get this to work not only do you have to get the victim to accept the virtual card and added to the address book you then have to convince them to attempt to schedule a meeting with you so it's perhaps not the easiest to Floyd but if you've got some still the social engineering which I'm sure some in the crowd do you could probably pull it off the next
only looked at we include this for posterity and for of hilarity because
ICS is kind of a fun read if you take the see well I guess if you like to be in our seas so but also many organic dog if you're
ever writing a file pasta they're actually 3 critical steps you have to follow step 1 is to read the entire RFC for whatever file format you're designing for step 2 is to take the RFC and
light it on fire and step 3 is to do whatever the hell you want and completely ignore the RFC truth real talk so so the way in which this
this manifests for ICS and there's a particular line of the ICSI was actually very easy to read if you just pop 1 open you start immediately understanding sort of how the file is structured and it's 1 of those great file formats and you can kind of understand intuitively by looking at it which is great but 1 of the other things is the along which defines the warm but that is associated
with a given meeting request or calendar event so 1 interesting thing about this is that this is actually defined by the meeting request sender not the receiver and so in you can have multiple forms so 1 thing that you can do which is really hilarious is to set up a meeting with somebody in 2 days and set off an alarm to pop up a pop-up box and you know play a sound every minute until then and search that had defending on your year
calories region it might automatically accept the meeting invite as well which is hilarious so
the denial sleep attack near so so I
start reading so I'm reading this RFC it's
late I've probably had something to drink of almost certainly had something to drink and I'm looking at this and I'm looking through the different types of alarms there's 4 there's a 2 you know perfectly reasonable ones there's 1 it's like wall display popup a pop up box alarm like make some sound whenever I don't care audio which is like go to this URL download this sound and play that might rule that that could be nice and then the 4th 1 just like you know it's it's like us that take moment it's like just it's called procedure just run this command with these parameters like
the light so here is the heart
breaking things or the really relieving thing depending on who you are it doesn't work in any calendar is a region that we looked at it doesn't work in any of them I'm just imagining somebody implementing
it and like literacy is no no few that's that's the light the RFC on fire moment right there so not even of the
successor to because this is the calendar format not even the successor to I calendar supports this but it had it I mean it does you have to define a meeting yourself and I got a little bit excited when I created something that used to procedure all because it pops up this box like do you wanna accept this and the options instead of being like yes or no are like no and no you know I don't even import this at all some like yes Hill please brew know or no harder to no Cahill no or more no so unfortunately this is
not a usable technique but it's just it's a funny thing and I can't believe that this was an idea that somebody had an like wrote it down and the shared it because I just I just I don't even understand that there you have it so talking about a potential
use or misuse so we've discussed the formats that make this possible now it's discuss a little bit about why anyone would care why would anyone want to abuse this functionality the 1st and perhaps the most obvious implication that we can think of
is Digital Rights Management 1 of our favorite word that chaos camper my right we all of the ImageNet dystopian future Dr and that means every time a particular file is opened calls home to a remote server to track that that file has been opened this goes beyond traditional the whose sole purpose is to dissuade you from opening a file when you don't have the right to open at this goes beyond that it goes into identifying the people that are attempting to open these files this is a lot more dangerous than the theorem that we have today and this is something that can be done today in today's file
passes this is something we haven't seen it done but it's it's something that I think we should all be a little bit afraid of to be fair we have looked very hard to see if
this is being done fear uncertainty and doubt on all of you have so there's also that sort of a
data loss prevention angle to this and there's there's 2 there's sort of 2 sides to this 1 is like I don't want somebody to steal my sensitive documents so I'm going to put like salaries 2016 dot pdf up on
this file share of secret documents and nobody should ever openness but if it does get open then you know at at this URL the other side is let's say that you were a fascist government and you want to keep people from whistle-blowing and you could use these techniques in
theory to prevent people from being able to do that at least easily without being identified and we can imagine that you know somebody exel traits of a document that is of value to be put in the public knowledge and the document calls home from every place it's open from your computer you were computer your home computer but a lawyer's office a friend's home and then everybody disappears right that's this is I think the thing that scares me most about all of this is this is this potential misuse to another
that is fairly obvious is D. anonymization so if you ever use the
Tor Browser bundle raise your hand just kidding don't do that don't tell anyone these yet idea today so you have areas that or as a bundle and you've ever downloaded a file via the browser it pops up this great little warning dialog that says note if you open this file they could easily D. anonymize you and tell bad people what your real IP addresses don't do it this research is why that
warning dialog exists they know that the self as possible but they are trying to warn you eat it it to be cleared this this warning
existed before are easiest assist this technique this title this sort of I sort of ideas why that warning exists some want into application of this
for instance a government agency you may not have administrative control over that you have as witty and you may not be able to track its users but let's say you upload a PDF file call how to make a bomb in 3 easy steps and it has a remote image URL embedded in it so that everyone it opens the PDF file you now know who they are and that they wanna make a bomb in 3 easy steps so we we
discussed this prettier or at least we showed this and focused on this fairly extensively just because you know if you can take over some machine if you can get somebody's credentials then there's a lot more
that you can do that but you know this is I think a pretty important part of this is that you you can actually affect the security of the machine you can get credentials and and pass them along
more were cracks them and just in case somebody it there's somebody in the audience is not quite familiar with insulin relaying attacks on the go over it very briefly so normal and he until often
occasions but at least version 2 but you as a client Sarah server hey i'd like to authenticate and get access to whatever it is you've got there the server says OK here's this number I need you to mix this in cryptographically with your password hash and send them back to the client does so
the returns that value the server which then decides based on does is match up with the information they have should this person be allowed access now the problem here is that while the client is authenticated the server is not so there's
nothing that there is nothing in this on negotiation that ties all this data to a particular server except the nonce but that that
random number so if as an attacker you
can get a client to attempt to authenticate you you can just pass that information along until you get to the point where you gain access and you tell the client no sorry that didn't work would you like to try again and then you pass it somewhere else so
will you we in our demo we had a password
that was easily cracked it was like you know 2 seconds but if that this is an alternative to that where you passed the credentials along without having to crack them so anything that the the person attending to indicate to you knowingly or not always trying to gain access whatever they
can gain access to with their credentials you can now gain access to because of the way that until works it's worth noting that as of the most recent actually been quite a while back the patch this is no longer possible to relay authentication back to the same machine that off that initiated deliriously before I think
Windows 2000 maybe XB you could have someone at 2 of them OK with you pass the exact same application information back to their machine and other to them so that's been fixed for a long time now so we we
discussed briefly the of the fact that you're sending with these documents when you're initiating of and requests it's coming from a poet privilege network position your behind that you're behind whatever firewall might be in place and then you can exploit all sorts of interesting things that of you know maybe assume that
if you're on the local network you're totally fine but so this this slide probably could be renamed so see Cerf assumes some
sort of authentication of given session that you're writing on is cases that that that is absolutely the case as you saw in previous demonstrations of several of these
techniques of these formats of the parsers will actually just pop pop open the default browser on ends and work from there and if you can do that then you can write on authenticated sessions but that might exist with the default browser but even without that you're still coming from and up probably a privileged network position when somebody's opening a document so
we've tone you what the problem is we told you how can be abuse let's talk a little bit about what we thought about how to fix it possible mitigations because there really isn't a silver bullet there isn't a perfect solution to this war in a go over what we
thought of and why it's not necessarily great solution the 1st and perhaps most obvious is anti-virus all the techniques that reusing
have fairly standard signatures so if I bargain RTF file it is possible for a program to analyze an RTF file and tell that it's been bought unfortunately there are so many formatted this is possible for we really only scratched the surface
there is no way that baby can reliably cover every format that has the ability to be bold additionally some of the techniques that we've used have legitimate use cases there may be a legitimate reason to embed a remote image in a PDF or for instance a playlist file there are legitimate reasons for a playlist file to have remote file and otherwise it would be kind of boring playlist I guess so all these both of these issues are things that prevent forming an effective mitigation but let's talk about the format changes so some of these formats they're not necessarily legitimate use cases fervor opening the set of U R L's so this change the format to prevent that unfortunately time and time again in our industry it's been proven that that's just not possible you have to maintain a certain level of backwards compatibility there are too many people using these formats to me people using these passes and too many files that have been created with older versions for us to be able to change the format there's just too much inertia behind how these things are already design finally in my opinion the best
mitigation we've come up with yet application-level firewalls on these are things like on Windows ZoneAlarm or on
OSX little snatch or on Linux is that Lotus flower leopard cloud leopard
flour so what these do is every time an application attempts to initiate a
connection this firewall will notify you and say hey you're PDF reader is trying to connect to attack a dot com do you want to allow this this is a pretty good mitigation for the vast majority of file formats for instance it it will never be the case that I want WordPad to connect to a remote server so I can say deny deny deny it my WordPad is trying to connect to a remote server however for play was formats like M 3 you that's kind of the whole point is that they connect to remote servers to you can't reliably say application firewall fixes everything and as a panacea yeah that the part the reason they were talking
about like all these different mitigations and how they do or don't work to various degrees
as as as we we don't have a good solution for this we don't we don't have a a fixed were described trying to like put more fuel on the fire and to another thing we talked it we we thought about its warnings and and this goes you know they obviously there's some use to warnings and and some people will click through but you'll least of put be putting more information in the hands of the user but obviously people click-through warnings a lot of the time so this is not necessarily helpful at all and
but it might at least get you to stop and say well hold on that maybe this is not something I wanna do so you're at least putting more power to the user but I do you could also do something to
just shut off networking capabilities for particular programs in general and you know for instance that the man made the example that with WordPad UTI public I personally and Damon apparently personally
don't want WordPad ever communicate with the Internet except maybe like if it has to communicate to suffer a update of Microsoft dot com that standard DOS just never just never at all and
so for something like that it's easy but it's it has the same problems as application of a fire walls the other thing is attempting to hook network calls in some programs is a lot cleaner than in others and certain things proxy change what is completely break because it was a Chrome your own disables the LD
preload directive so you can't use proxy chains against chroma these the last time I tried it but there's also offering this is a good that this is a good partial solution and this will at least prevent things like outbound SMB traffic leaving your organization nor your home
you know this is something that's a good idea and general stages filtering but but again you still need to let some things through so you might be letting you know web traffic through and that sort of the way that a lot of that the privacy violating tracking stuff
but we're able to do that so if you think this stuff is cool and you wanna play with it yourself into your hands dirty we have exactly what you want we have created a tool that accepts as input all the various formats that we
support and will as output a bug version of that same file it's still a work in progress
it's like version 0 0 0 negative 1 alpha i additionally it's not yet on get higher thing because we are using Lynn Reddy from this entire week and we haven't had
couldn't Eqn activity so it will be on within the next 1 to 2 weeks if you wanna download this
thing and surviving your own files FIL and
at this point and were going to open it up for questions the around the world of questions anybody over there on the mike us see some I brittle problem takes us find any
issues with the whole file handlers serve when well when Windows gives a preview on OS X gives a preview files did you find that would also initiate connections but 2 ever so the question that the the question is did default
file-handling rules of proved to be any effective measure against this word did they get in our way of doing this sort of thing or is that is that is that a man sting you right these are all really when you open when you click on a file but there are in the file in Windows for for example you have a preview the file without actually opening a full version of what a Dutch and so this so you asking if that the previews also
vulnerable to this sort of thing yeah that's not something we've tested I can imagine for certain vectors it I can certainly postulate like SVG files it would be very likely that that would be vulnerable because you can't properly display the
image without unloading the style sheets so I would say probably varies by format and I would say we can't say authoritatively whether or not that's the case yeah we can we can say with some some certainty that certain some of them are likely to work even with preview so anything that you have to visually render probably it will
work anything like that so like a video file where 5 seconds in it the inner launches a URL that's almost certainly not going to work right I can say pretty certain pre certainly that's not going to work but as previously stated we haven't tested it so we can't say perforant out on your own once we get the tool online thanks tears any other questions or did we just covered
so well that nobody has any
uncertainty left in their hearts but this will and yes
for daily that 1 side to the get of your going copy it down and we super duper promise that it will be there and 1 to 2 weeks we have a somewhat working version on our laptops but we have not yet found the person with NCC Group that knows how to put things in this URL but we will find that person in 1 to 2
weeks and then it will be there if all
right thank you 10 and then you but thank you thank you all for listening
Category of being
Telecommunication
Regular graph
Information security
Local Group
Web application
Mobile app
Focus (optics)
File format
Volume (thermodynamics)
Right angle
Cartesian coordinate system
Information security
Freezing
Complex (psychology)
File format
Multiplication sign
Bit
Addition
File format
Variety (linguistics)
Multiplication sign
File format
Exploit (computer security)
Parsing
Insertion loss
Bit
Motion capture
Weight
Information privacy
Information privacy
Software bug
Message passing
Digital rights management
Personal digital assistant
Kolmogorov complexity
Information security
Digital rights management
Subtraction
Data type
Information security
Programmer (hardware)
Read-only memory
Latent heat
File format
Patch (Unix)
Motion capture
Error message
Software bug
Moment (mathematics)
Virtual machine
Haar measure
Window
Software bug
Cloning
Word
Default (computer science)
Message passing
Hash function
Linker (computing)
Internetworking
Hill differential equation
Haar measure
Window
Software bug
Cloning
Medical imaging
File format
Internetworking
Personal digital assistant
Interactive television
Haar measure
File format
Multiplication sign
Ideal (ethics)
Haar measure
Default (computer science)
File format
Home page
MIDI
Interactive television
ACID
Web browser
Mereology
Revision control
Plane (geometry)
Internet forum
Peer-to-peer
Hypermedia
Utility software
Videoconferencing
Gastropod shell
Haar measure
Window
Address space
Window
Ocean current
Area
Slide rule
Keyboard shortcut
Demo (music)
File format
1 (number)
PLS (file format)
Email
File format
Computer-generated imagery
Keyboard shortcut
Element (mathematics)
Interactive television
Instance (computer science)
Open set
Word processor
Internetworking
Hypermedia
Office suite
Window
Area
Focus (optics)
Scheduling (computing)
Email
File format
File format
Interactive television
Basis (linear algebra)
Bit
Web browser
Instance (computer science)
Medical imaging
Word processor
Uniform resource locator
Collaborative software
Hypermedia
Lattice (order)
Hypermedia
Videoconferencing
Scheduling (computing)
Family
Window
Probability density function
Probability density function
File format
Multiplication sign
View (database)
Computer-generated imagery
1 (number)
Group action
Limit (category theory)
Functional (mathematics)
Subset
Embedded system
Medical imaging
Hypermedia
Electronic visual display
Remote procedure call
Block (periodic table)
Graphical user interface
Probability density function
Default (computer science)
Message passing
Uniform resource locator
Process (computing)
Videoconferencing
Scripting language
Web browser
Functional (mathematics)
Probability density function
Addition
Message passing
Dot product
Process (computing)
Doubling the cube
Shared memory
1 (number)
Website
Coma Berenices
Probability density function
Form (programming)
Proof theory
Message passing
Demo (music)
File format
Moment (mathematics)
Electronic visual display
Bit
Coma Berenices
Default (computer science)
Pixel
File format
Vector graphics
Line (geometry)
Mereology
Functional (mathematics)
Entire function
Vector graphics
Medical imaging
SVG
Graph coloring
Vector space
Term (mathematics)
Internetworking
Data structure
Subtraction
Window
Default (computer science)
File format
Shared memory
Markup language
Schweizerische Physikalische Gesellschaft
Mereology
Formal language
Subset
Medical imaging
Internetworking
Remote procedure call
Data structure
Window
Latent heat
Hypermedia
File format
Hypermedia
File format
Quicksort
Remote procedure call
Internetradio
Window
File system
Interactive television
Remote procedure call
System call
Functional (mathematics)
Local ring
Window
Open set
Hypermedia
File format
Hypermedia
File format
Electronic mailing list
Interactive television
Family
Window
Point (geometry)
Trail
Addition
Touchscreen
Code
File format
Closed set
Content (media)
Audio file format
Instance (computer science)
Web browser
Metadata
2 (number)
Uniform resource locator
Word
Function (mathematics)
Videoconferencing
Moving average
Flag
Electronic visual display
Scripting language
Remote procedure call
Digital rights management
Resultant
Default (computer science)
Application service provider
File format
Web browser
Cartesian coordinate system
Web browser
Uniform resource locator
Function (mathematics)
Videoconferencing
Moving average
Scripting language
Digital rights management
Window
Email
Uniform resource locator
Information
File format
Videoconferencing
Encryption
Energy level
Functional (mathematics)
Family
Entire function
Medical imaging
Inclusion map
Copyright infringement
File format
Personal digital assistant
Source code
Videoconferencing
Remote procedure call
Number
Axiom of choice
Frame problem
Pairwise comparison
MP3
Link (knot theory)
File format
Block (periodic table)
Moving average
Quicksort
Mereology
Metadata
Series (mathematics)
Linker (computing)
Length
Quicksort
Data type
Frame problem
Area
MIDI
Slide rule
Uniform resource locator
File format
Content (media)
Mereology
Data type
Frame problem
Number
Uniform resource locator
Uniform resource locator
Copyright infringement
Client (computing)
File Transfer Protocol
Number
File Transfer Protocol
Classical physics
Exterior algebra
Multiplication sign
Subtraction
Communications protocol
Uniform resource locator
Suite (music)
Freeware
Smart card
File format
File format
Virtualization
Group action
Router (computing)
Mereology
Address space
Lattice (order)
Smart card
Virtualization
Client (computing)
Number
Attribute grammar
Trail
Lattice (order)
Smart card
Shared memory
Bit
Remote procedure call
Functional (mathematics)
Local ring
Parsing
Address space
Social engineering (security)
Uniform resource locator
Hidden surface determination
Type theory
File format
Real number
File format
Self-organization
Parameter (computer programming)
Förderverein International Co-Operative Studies
Uniform resource locator
Type theory
Lattice (order)
File format
File format
Cuboid
Parameter (computer programming)
Line (geometry)
Quicksort
Event horizon
Form (programming)
Uniform resource locator
Lattice (order)
Moment (mathematics)
1 (number)
Cuboid
Electronic visual display
Procedural programming
Food energy
Data type
Subtraction
Reading (process)
Lattice (order)
File format
Computer configuration
Moment (mathematics)
Bit
Procedural programming
File format
Bit
Functional (mathematics)
Vector potential
Server (computing)
System call
Multiplication sign
Chaos (cosmogony)
Digital signal
System call
Bookmark (World Wide Web)
Data management
Word
Message passing
Theorem
Right angle
Digital rights management
Uniform resource locator
System call
Angle
Insertion loss
Computer
Insertion loss
Quicksort
Filesharing-System
Probability density function
Office suite
Computer
Theory
Area
Probability density function
Line (geometry)
Real number
Fiber bundle
Web browser
Quicksort
Videoconferencing
Control flow
Cartesian coordinate system
IP address
Web browser
Medical imaging
Virtual machine
Instance (computer science)
Remote procedure call
System call
Server (computing)
Server (computing)
Virtual machine
Motion capture
Client (computing)
Mereology
Number
Revision control
Content (media)
Hash function
Personal digital assistant
Password
Software cracking
Information security
Point (geometry)
Server (computing)
Random number generation
Information
Client (computing)
Authentication
Exterior algebra
Demo (music)
Password
Patch (Unix)
Virtual machine
Slide rule
Information
Local area network
Multiplication sign
Firewall (computing)
Computer network
Quicksort
Cartesian coordinate system
Window
Position operator
Authentication
Default (computer science)
File format
Exploit (computer security)
Bit
Network-attached storage
Web browser
Parsing
Flow separation
Position operator
Personal digital assistant
Computer network
Quicksort
Writing
Position operator
Router (computing)
Computer programming
Firewall (computing)
File format
Surface
Multiplication sign
File format
Moment of inertia
Set (mathematics)
Instance (computer science)
Electronic signature
Revision control
Medical imaging
Message passing
Mathematics
Moment of inertia
Personal digital assistant
Energy level
Bounded variation
Probability density function
Point (geometry)
Server (computing)
Firewall (computing)
File format
Firewall (computing)
Multiplication sign
File format
Point cloud
Instance (computer science)
Coma Berenices
Cartesian coordinate system
Mereology
Connected space
Moment of inertia
Personal digital assistant
Bounded variation
Window
Probability density function
Degree (graph theory)
Information
Multiplication sign
Computer programming
Proxy server
Internetworking
Function (mathematics)
Instance (computer science)
Coma Berenices
Metropolitan area network
Power (physics)
Computer programming
Mathematics
Hooking
Firewall (computing)
Multiplication sign
Direction (geometry)
Computer network
Control flow
Self-organization
Cartesian coordinate system
Proxy server
Graphical user interface
Web 2.0
Revision control
Trail
Goodness of fit
File format
output
Quicksort
Function (mathematics)
Information privacy
Arithmetic progression
Software bug
Revision control
Point (geometry)
Coma Berenices
Alpha (investment)
Revision control
Default (computer science)
Word
Quicksort
Measurement
Rule of inference
Window
Metropolitan area network
Connected space
Medical imaging
Uniform resource locator
Vector space
Personal digital assistant
File format
Videoconferencing
Quicksort
2 (number)
Revision control
Laptop
Uniform resource locator
Inheritance (object-oriented programming)
Hypermedia
Loading...
Feedback

Timings

  697 ms - page object

Version

AV-Portal 3.8.2 (0bb840d79881f4e1b2f2d6f66c37060441d4bb2e)