Cyber Security Expo
Exploring Below the Surface of the GIFAR Iceberg by Ron Brandis on 08/04/09

The GIFAR threat reported at Blackhat USA 2008 1 uses the concept of combining files such as a GIF image and a Java Archive (JAR), hence the GIFAR name, to enable malicious code execution. A GIFAR can thus be considered a delivery mechanism.

The GIFAR concept was judged by peers to be the top web hacking technique of 2008.

Discovery of the GIFAR threat is credited to the researchers Billy Rios (http://xsİ\ and Petko D. (pdp) Petkov (İ\jarİ\attacksİ\andİ\features); who worked independently on this concept.

Inspired by its standing as the best web attack of 2008, and unable to locate much information on the Internet, apart from the considerable hype surrounding the Blackhat presentation, I performed some limited research into GIFARs. This whitepaper documents my research and findings.

I do not intend to examine all the possible types of Java classes etc., which can be used as payloads, nor to explore why the JVM apparently fails to protect against GIFARs. Instead I report on my attempts at creating image and .docx GIFARs with two types of applet payloads. One payload makes a hidden network tunnel to the evil web server. The other payload requires the user to accept a forged, signed certificate for the applet.

As an interesting aside, almost 10 years ago I, along with many others around the world, conducted research into the use of steganography and covert channels within images for data egress. Despite this research, no one published on the possibilities of this GIFAR concept being a successful attack vector. This could either point to its limited effectiveness, or raise the questions of whether other attack vectors from the past need to be revisited ¨C and people say Java applets are dead!

Just as icebergs only reveal a small amount with most hidden from view underwater, so I suspect this could only be the tip of interesting attacks to come. I am no Java guru and have not fully explored all of the various Java classes which can be used in these types of attacks. And while the Java security manager offers some protection in this instance, it may be that some trusted class will be identified to bypass the security model.

This document is in PDF format. To view it click here.

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.