3

Symantec published a news about a malvertising campaign targeting IE users with Java exploits (already known vulnerabilities). At some point they explain that the users are redirected on malicious domains using the following GET :

enter image description here

As we can see, user is looking for Ilns0.gif , and it accepts GZIP encoding.

Server replies with Content-Type: image/gif and delivers an infected .jar file.

How is it possible to use an incorrect type and still get the file loaded by the user ? Why browsers don't alert you when a server delivers an unexpected content ?

ack__
  • 2,728
  • 14
  • 25

2 Answers2

3

There's a longstanding issue (feature?) with IE doing Content Sniffing instead of just respecting Content-Type; this still exists largely for historical reasons. You do have the ability to disable it - MIME Type Detection references the Feature Controls - if you want to make your machine(s) more secure. It is still marginally useful since a common 'fix' server-side for unknown binary file types is to server as application/octet-stream, which may cause things to not work as expected (videos may download instead of play, for example).

It's likely that this particular exploit just happens to use a gif because it'll get past email scanners, etc. more easily embedded in an tag in an email.

Bob Watson
  • 2,856
  • 17
  • 29
  • Thanks, I didn't know about the Content Sniffing stuff. Although I don't see why it's seen as a security issue : the files type/content should be checked by the browser, not defined by a server that of course can be controlled by an attacker ! – ack__ Feb 10 '13 at 11:05
  • Still my question remains : the exploit is not using malicious mails to spread, only webservers controlled by attacker, and I still wonder how it is possible that a modern browser doesn't alert you when a server tries to dissimulate a JAR file with an image Content-Type. This is undoubtely a malicious action from the server. – ack__ Feb 10 '13 at 11:08
  • 1
    It arguably should; but it's a case of the browser looking at the file and trusting itself rather than the server. It's also easier to load something that looks like it may be a gif on yet another site (embedded in something user-controlled maybe?). – Bob Watson Feb 10 '13 at 11:11
2

How is it possible to use an incorrect type and still get the file loaded by the user?

If it were the browser loading it, it would indeed get handled as a GIF, and fail, in general. (There are content-sniffing problems in web browsers, but not ones that would trigger here.)

However, when you instantiate an applet with the <applet src>/<object data> attribute pointing at it, the Java plug-in loads the address as an applet class/jar, regardless of the Content-Type you serve it with.

(That's not a good behaviour, but it's a symptom of the continuing MIME malaise - browsers/plug-ins don't want to be strict about requiring correct media types because so many servers are set up wrong, but UAs being permissive about media types means that lazy admins don't have to set up their servers right...)

This is especially pernicious given that Java's bizarro version of the Same Origin Policy operates primarily on the source of the class/jar rather than the containing document page - if you can put an applet file on someone's server you can, to some degree, cross-site-script into it. However it doesn't look like the attack made any use of this - exploits work regardless of origin.

It's often difficult to spot this because it is (/was) possible to create a polyglot file that is a valid GIF and JAR at the same time ("GIFAR"). However, again, this hasn't been done here. The attacker can choose any filename/type they like for an applet, and apparently they thought a GIF would be less conspicuous than a JAR.

bobince
  • 12,494
  • 1
  • 26
  • 42
  • Thanks for that answer. I didn't know neither the "GIFAR" stuff was even possible. – ack__ Feb 11 '13 at 07:57
  • Also it's a sad thing that browser's editors don't take necessary measures to secure the MIME thing. It would be an efficient way to spot lots of malicious content, and even if most servers are set up wrong, they should do something to push the thing slowly (discreet warning messages, not loading by default, etc.). – ack__ Feb 11 '13 at 08:01