Results 1 to 7 of 7

Thread: Making Programs do what they're supposed to do.

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915

    Making Programs do what they're supposed to do.

    Full Title: Backdooring File Type X or Making a program do what it’s supposed to do…
    Original Posting: http://www.computerdefense.org/?p=110


    You know what I’m fed up with… people making “security” related discoveries that aren’t really discoveries… they’re just common sense….

    There are two guilty parties here that I’m extremely unhappy with: David Kierznowski and pdp. David actually made the news for his Backdooring PDFs blog…. pdp has had several Backdooring .Mov, Backdooring Flash, and Backdooring MP3s..

    Let’s take a look at each of these..

    * PDF - Portable Document Format - A Document that is entirely self-contained and cross platform… These documents have to, essentially, be “compiled” from other documents… sort of like an executable being compiled from source code. It would make sense that they support their own programming language, which in this case happens to be a javascript variant. This isn’t a software flaw, it’s functional software being utilized completely for malicious reasons.
    * MOV - Movile Files - These files quite commonly open a link to the artists page or the movies page… They have the ability to open a link and that’s exactly what they are doing.
    * Flash - This was one I really enjoyed reading… How Flash could have a trojan or virus contained in it… and then he demonstrates a javascript alert… Again… the program opening a page exactly like it was written to do.
    * MP3 - MPEG-1 Audio Layer 3 - This was my favourite one… this isn’t actually MP3s… it’s playlist files that can be named mp3.. So a whole lot of FUD over nothing. If an MP3 is 100 bytes and advertises itself as a full song… obviously it isn’t.. Again though, it’s a playlist file functioning as it is supposed to.

    Everyone of these blog posts by both of them is nothing more than FUD generation. The fact that they invested so much time into these “vulnerabilities’ tells me something about the…. something I think everyone can come to on their own without me mentioning it.

    Then there’s the issue of calling these backdoors… Do they know what a backdoor is… by definition this is not a backdoor

    A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be a modification to a legitimate program.

    These people really make me wonder… why not a new one on how to backdoor an exe by writing the source code and compiling it. These all rely on the fact that your browser allows javascript to execute (except perhaps the PDF one because Acrobat includes it’s own version of javascript)… These should be called “Covert ways to enter a javascript statement into a browser”… They aren’t vulnerabilities and they are not backdoors… They are legitimate uses of the software. Another interesting note is that each time they refered to a file format… However the PDF “backdoor” requires Acrobat… it doesn’t work on other PDF Readers… the MP3 “backdoor” requires Quicktime and the browser plugin (since it’s the browser that actually executes the javascript) and like I mentioned it’s not actually MP3s but renamed playlist files. The MOV one is another example that requires Quicktime and more specifically the quicktime plugin…

    Perhaps the message should be — Don’t allow your browser to execute javascript without your permission…. or don’t open files you don’t trust… but to suggest an inherent flaw in either a file format or a type of software because it’s doing what it’s supposed to do…

    Consider this my security advisory — Programs do what they are coded to do… and you may not be aware of all their functionality.

    Peace,
    HT

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Hrmm..

    Don’t allow your browser to execute javascript without your permission…. or don’t open files you don’t trust…
    Again, going back to your original "theory" so to speak of:

    discoveries that aren’t really discoveries… they’re just common sense….
    In my opinion, security practices such as those aren't ones that people should document or write about. That's like saying, let me write a book telling people don't walk into oncoming traffic, IMO. If you need to be told that, theres probably something wrong with you..

    Good article and good read all the same, HTRegz. Ya just hate seeing people do/say some rather bone-headed things sometimes.

    EDIT: As for the programs doing this that the other, "Programs do what they are coded to do" ends that story. Thank you. =]
    Space For Rent.. =]

  3. #3
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    True, they are doing what they are designed to do, but that
    doesn't mean that there is no security concern here. I had a
    1949 chevy pickup truck that would start without a key.
    It was designed that way! You could insert the key,
    turn it one notch and remove the key. After that it would
    start withiut the key because it was unlocked A
    convenience feature no doubt. they don't design them that
    way any more because security requirements have changed.

    A wma file is capable of doing automatic license aquisition,
    but can be exploited to download whatever the creator wants.
    I suspect the mov files can be exploited too. Yeah, they are
    designed that way, but it isn't necessarily a good idea.
    I came in to the world with nothing. I still have most of it.

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Originally posted here by rcgreen
    True, they are doing what they are designed to do, but that
    doesn't mean that there is no security concern here. I had a
    1949 chevy pickup truck that would start without a key.
    It was designed that way! You could insert the key,
    turn it one notch and remove the key. After that it would
    start withiut the key because it was unlocked A
    convenience feature no doubt. they don't design them that
    way any more because security requirements have changed.
    That was a feature... You could turn it back to the locked position at any point... and you again needed the key. Whether or not you decided to leave it locked/unlocked was your choice... I know people that still leave their cars unlocked.... Those are options that are available to you... the choice is yours to make... Cars are still designed with doors that you can leave unlocked... It's your choice to engage the security..

    If you want to use cars as the example.. I have friends that go out on a cold morning, start the car and then lock the doors to leave it running for a few minutes.. then they take the seperate door key and open the door when they are ready to leave... Now you have a single key that provides access to everything (That's weaker security in my opinion) and you have cars with doors that you can't lock when there's a key in the ignition... Which forces people who want to start their car early to leave their cars unlocked (a step backwards in security)..

    In the end though we're talking not about a "feature" but program functionality... comparing it to cars would be much simplier... "Acrobat can execute JavaScript".... "Your Car can Start".. perhaps if you wanted to prevent someone from executing javascript you'd disable that option... or if you wanted someone to not steal your car you'd disconnect the battery cable... You don't disconnect your battery cable because it's less convenient for you... It's acceptable risk... Allowing JavaScript to run is the same thing.... You don't run around saying "Oh my god... if you don't disconnect your battery a malicious person could still start your car"... which is essentially what these people are saying.

    A wma file is capable of doing automatic license aquisition,
    but can be exploited to download whatever the creator wants.
    I suspect the mov files can be exploited too. Yeah, they are
    designed that way, but it isn't necessarily a good idea.
    I'm assuming you're talking about the stuff that Ed Botts published a year and some ago.. I see a difference here and I see you doing the same thing these guys are doing.. The flaw exists in WMP not the wma files... Yes the files have the corrupt content, the invalid license links... but it's the way WMP deals with this that is the problem... .Which is the first problem I had with the guys above... giving incorrect information... relating it to filetypes instead of specific versions of software. WMP10 also provided out of the box protection via user prompts for this.. This is different... it's javascript.... Javascript is not the most deadly thing in the world... Usually the dangerous XSS is one that's inline on a site... Say XSS embeded in AO that would give someone your AO cookie... using javascript independently of a page isn't going to lead to cookie theft... Also with the wma issue... WMP was actually downloading the files.... (because of how closely it ties with IE)... with the issues these guys are publishing it opens a seperate program with a url.... a valid url... something that people want their software to be able to open... The fact that javascript is run is not related to the software (except in the Adobe case) but related to the browsers ability to run it...

    Calling these vulnerabilities is wrong... These files are performing a function... could that function present a minimal security risk... yes... Does it need and advisory and is it a vulnerability no... are you exploiting anything... no... You are partaking in a type of social engineering... that is all.... The software is doing what it was designed to do... you are simply taking advantage of a person to make them use the file you provide.

    Peace,
    HT

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    I've submitted this post to digg -- Digg me (the original blog post) and I've linked to AO in the comments...

    [edit]
    Here's the link through TinyURL since AO can't seem to handle this link -- http://tinyurl.com/ngh7o
    [Edit]

    Anyone who wants to give me a hand to get this thing dugg click the link above.

    Peace,
    HT

    [Edit]
    Hrm... AO Really butchers digg links

    the link is

    Edit Number 2 -- Attempting it in a quote.
    [/Edit]

  6. #6

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Click on the digg link you posted It doesn't work... the CDO links work fine.. bug AO can't deal with digg.. I think it's a length issue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •