Gifar
Graphics Interchange Format Java Archives (GIFAR) is a term for GIF files combined with the JAR file format. Altered GIF files can be uploaded to Web sites that allow image uploading, and run code that works inside that site.
In this attack, GIF Java archive files (GIFARs) are uploaded to Web sites, and modified GIF files run code through any one viewing (opening) such a file. This method gets around the "same origin policy" that browsers impose; bypassing the content validation usually used. Attackers reference this malicious image in the applet code on the hosted site, establishing cross-domain communication with the (your) target domain.
This technique worked because GIF images (along with other file types: it is not only GIFs and JARs that can act this way. There is a general class of vulnerabilities of file type combinations such as .doc, .jpg, etc.) store their header in the beginning of the file, and ZIP archives (which is what JAR files are made of) store their data at the tail.
In short, a GIFAR allows a hacker to piggy back off the victim’s cookies.
GIFAR is a photo that can "borrow" your online credentials and take over Web surfers' accounts.
GIFAR is not executable code that gets run when you view an image.
For the attack to work, the victim must be logged into the Web site that is hosting the image.
Vulnerable sites
Any site that includes login sessions with user-uploaded pictures can be vulnerable.
Java ARchive
Filename extension |
.jar |
---|---|
Internet media type |
application/x-java-archive |
Uniform Type Identifier (UTI) | com.sun.java-archive |
Developed by | Netscape, Sun Microsystems, Oracle Corporation |
Type of format | file archive, data compression |
Extended from | ZIP |
JAR files are built on the ZIP file format and have the .jar
file extension. Computer users can create or extract JAR files using the jar
command that comes with a JDK. They can also use zip
tools to do so; however, the order of entries in zip file headers is important when compressing, as the manifest is often first.
.JARs are .ZIP files that are renamed so that Java, set as the default program, opens it. The zip file format allows for a metadata comment to occur at the end of the file after the central directory.[1] In zips, because the central directory specifies the offset of each file with respect to the start, it is possible for the first file entry to start at an offset other than zero.
This allows arbitrary data to occur in the file both before and after the zip archive data, and for the archive to still be read by the zip application. A side effect of this is that it is possible to author a file that is both a working zip archive and another format; provided that the other format tolerates arbitrary data at its beginning, middle, or end. Self-extracting archives (SFX) of the form supported by WinZip and DotNetZip, take advantage of this--they are .exe files that conform to the PKZIP AppNote.txt specification and can be read by compliant zip tools or libraries.
This property of the zip and the JAR format (which is a variant of zip) can be exploited to hide harmful Java classes inside a seemingly normal file, such as a GIF image uploaded to the Web. The so-called "GIFAR" exploit has been demonstrated as an effective attack against Web applications such as Facebook.[2]
This made it possible to allow a "considered-safe" site to run Java. For example, a Webmaster could host this file on their site by saying that it is an applet--or an attacking party could upload a GIFAR to an image host; and the end-user's browser would run the applet because it is stated safe.
JAR Design
- JAR files are intended to be executed as standalone programs.
- This file allows Java runtimes to easily deploy a set of classes.
- The elements in a JAR file can be compressed, which, along with the ability to download an application in one request, makes downloading a JAR file faster than separately downloading the many files which would form a single application.
- To unzip a JAR file, users can use any unzip software. However, those with an installed Java Virtual Machine can use this command to expand such a file:
jar -xf foo.jar
- Developers can digitally sign JAR files. In this case, the signature becomes part of the (embedded) manifest file. The JAR is not signed, but every file inside the archive is listed, along with each file's signed checksum. Multiple entities may sign the JAR file (which changes the JAR file itself with each signing). When a Java runtime loads signed JAR files, it validates the signature(s) and avoids classes that do not match. This prevents malicious code from being inserted.
- Developers can obfuscate JAR files so that a user of the JAR file doesn't get information regarding the code it contains.
- Microsoft Windows users who prefer having Windows EXE files can wrap JAR files into executables.
- The Apache Ant build tool can read and write Zip and JAR archives, including support for the Unix extensions.
SUN & JRE
In GIFARs, the Java VM recognizes the JAR part which is run as an applet in the victim's browser as though it were written by the Web site's developers.
Though Sun has patched the Java vulnerability (in advisory #244988 (as of versions JDK and JRE 6 Update 11 (December 2, 2008), JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19)., because some users run installed versions of Java pre-dating the JRE patch, this issue needs to be addressed as an issue of browser security. Sun's patch does not, however, stop applications from taking ownership of user-supplied content.
From Sun; “...applets are not allowed to open network connections to any computer, except for the host that provided the .class files.” One is capable of uploading a GIFAR to a site as they will validate as images. You can include an embed pointing to that GIFAR in another page (hosted anywhere) and make people stumble onto it. It will be allowed to make any network connections it wants to that site in their name.
With the applet running, the hacker(s) can access the victim's account(s).
GIFs
An animated GIF. | |
Filename extension |
.gif |
---|---|
Internet media type |
image/gif |
Type code | GIF GIFf |
Uniform Type Identifier (UTI) | com.compuserve.gif |
Magic number | GIF87a /GIF89a |
Developed by | CompuServe |
Type of format | Raster graphics image format |
The Graphics Interchange Format (GIF) is based off of a GIF file bitmap image format that was introduced by CompuServe in 1987. GIF is in widespread use on the World Wide Web due to its wide support.
GIF images are compressed using the Lempel-Ziv-Welch (LZW) lossless data compression technique to reduce file size without degrading visual quality. This technique was patented in 1985 by Unisys. All relevant patents have expired.
GIF stores multiple images in one file. This technique is used extensively on the Web to produce simple animations.
GIF was one of the first two image formats commonly used on Web sites. CompuServe's GIF appeared in 1987 to provide a color image format to replace the run-length encoding (RLE) format, which was black and white XBM. GIF became popular because it could use data compression, which enabled large images to be downloaded in a short time.
JPEG came later, with the Mosaic browser.
Usage and color
- GIFs are suitable for sharp-edged line art, such as logos, with a limited number of colors. This takes advantage of its lossless compression, which favors flat areas of uniform color with defined edges.
- GIFs can be used to store low-color data for logos, static images, small animations, and low-resolution film clips.
- GIF is not a format commonly used for digital photography. Photographers use file formats capable of reproducing a greater range of colors, such as TIFF, RAW or JPEG.
- As a refinement, a technique called dithering has been used to approximate a wider range of colors by using colored pixels to approximate in-between colors. These techniques mimic higher color resolution. Dithering interferes with the compressibility of image data--working against GIF's main purpose.
- GIF can generate 24-bit RGB truecolor images.
- GIF files can support transparency.
- GIFs can be created without compression. Before the GIF patent expired, this was done as a way to avoid infringement.
- GIFs can be interlaced. This allows a partial display of the image that can be recognized before the full image is painted.
- Frame animation was added to the GIF89a spec. Animation displays the sequence of frames; stopping when the last frame is displayed, and sometimes signaled to repeat.[3]
Solutions
Some solutions to this issue may be: If you are the Web surfer, update to the latest version of JRE. Webmasters cannot ensure that their customers will be protected because they cannot control the JRE version that their users run.
If you host images, run a backend script that verifies the absence of jar files appended to vulnerable file types (Reference http://securethoughts.com/2009/01/easy-server-side-fix-for-the-gifar-security-issue | A solution that could help an developer filter malicious jar content server side). If the application is able to restrict the upload of malicious files, it solves the problem without worrying about which version of JRE the client is running.
This is ultimately a Web application issue. When a Web app chooses to take ownership of a user-controlled file, serving it from their domain, it weakens the integrity of the domain. The impact of these attacks could also be minimized if Web applications that took user-controlled files served those files from a “throw away” domain. As an application developer, you can also prevent these types of attacks by using a separate domain for user-influenced files.
References
- ".ZIP File Format Specification - Version 6.3.6". PKWARE Inc. April 26, 2019.
- "A photo that can steal your online credentials".
- "All About GIF89a".
External Links
Wikimedia Commons has media related to GIF. |
- LZW and GIF explained
- Web Graphics discusses and illustrates the differences between GIF, JPEG and PNG formats
- hijacking HTTP sessions via crafted files
- Java Archive (JAR) Files
- JAR File Overview