Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PHP Exploit Code in a GIF

Published: 2007-06-19
Last Updated: 2007-06-19 23:29:08 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

So if you want to hide something, where is the best place to hide it?
In plain sight of course.  We received an email from Steve Caligo
about a major image hosting website that contained more than you
bargained for in at least one image.  No its not stego or porn.  In
one particular image file, there was a PHP coded exploit script.
Interestingly enough, the file itself contains a completely legitimate
1x1 gif image at the beginning of the file.  Doing a quick check for
the filetype:

 $ file cmdscanvt6.gif
cmdscanvt6.gif: GIF image data, version 89a, 1 x 1


So now you have exploit code in what appears to be a gif file, what
can you do with that?  Well a couple of quick things come to mind, One
idea was alluded to with the comment about hiding it in plain sight.
It is a clever way to pass exploit code to others without it setting
off alarms or attracting attention all while bypassing network
security tools.  Steve reported it to the website owners and now a
quick check back of the site shows a completely different file with
the same name there now. So who switched the image?  The person who
placed it there to begin with or the folks running the website?

The second idea, but completely untested at this point, is that PHP
will ignore everything else and just look for its delimiters.  Which
means, it would be a great method for a RFI attack.

Regardless, its interesting and scary to find a file that acts like a
regular gif file, but contains a script exploit.  Nice catch Steve,
thanks for passing it along!

Keywords:
0 comment(s)
Diary Archives