Home > IT, Security > Backdooring File Type X or Making a program do what it’s supposed to do…

Backdooring File Type X or Making a program do what it’s supposed to do…

September 24th, 2006 Leave a comment Go to comments

You know what I'm fed up with... people making "security" related discoveries that aren't really discoveries... they're just common sense....

There are two guilty parties here that I'm extremely unhappy with: David Kierznowski and pdp. David actually made the news for his Backdooring PDFs blog.... pdp has had several Backdooring .Mov, Backdooring Flash, and Backdooring MP3s..

Let's take a look at each of these..

  • PDF - Portable Document Format - A Document that is entirely self-contained and cross platform... These documents have to, essentially, be "compiled" from other documents... sort of like an executable being compiled from source code. It would make sense that they support their own programming language, which in this case happens to be a javascript variant. This isn't a software flaw, it's functional software being utilized completely for malicious reasons.
  • MOV - Movile Files - These files quite commonly open a link to the artists page or the movies page... They have the ability to open a link and that's exactly what they are doing.
  • Flash - This was one I really enjoyed reading... How Flash could have a trojan or virus contained in it... and then he demonstrates a javascript alert... Again... the program opening a page exactly like it was written to do.
  • MP3 - MPEG-1 Audio Layer 3 - This was my favourite one... this isn't actually MP3s... it's playlist files that can be named mp3.. So a whole lot of FUD over nothing. If an MP3 is 100 bytes and advertises itself as a full song... obviously it isn't.. Again though, it's a playlist file functioning as it is supposed to.

Everyone of these blog posts by both of them is nothing more than FUD generation. The fact that they invested so much time into these "vulnerabilities' tells me something about the.... something I think everyone can come to on their own without me mentioning it.

Then there's the issue of calling these backdoors... Do they know what a backdoor is... by definition this is not a backdoor

A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be a modification to a legitimate program.

These people really make me wonder... why not a new one on how to backdoor an exe by writing the source code and compiling it. These all rely on the fact that your browser allows javascript to execute (except perhaps the PDF one because Acrobat includes it's own version of javascript)... These should be called "Covert ways to enter a javascript statement into a browser"... They aren't vulnerabilities and they are not backdoors... They are legitimate uses of the software. Another interesting note is that each time they refered to a file format... However the PDF "backdoor" requires Acrobat... it doesn't work on other PDF Readers... the MP3 "backdoor" requires Quicktime and the browser plugin (since it's the browser that actually executes the javascript) and like I mentioned it's not actually MP3s but renamed playlist files. The MOV one is another example that requires Quicktime and more specifically the quicktime plugin...

Perhaps the message should be -- Don't allow your browser to execute javascript without your permission.... or don't open files you don't trust... but to suggest an inherent flaw in either a file format or a type of software because it's doing what it's supposed to do...

Consider this my security advisory -- Programs do what they are coded to do... and you may not be aware of all their functionality.

Peace,
HT

Categories: IT, Security Tags:

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

  1. J_K9
    September 25th, 2006 at 01:52 | #1
    Reply | Quote

    “why not a new one on how to backdoor an exe by writing the source code and compiling it”

    LOL!

    “Perhaps the message should be — Don’t allow your browser to execute javascript without your permission…. or don’t open files you don’t trust… ”

    Which is what we try to tell lusers anyway… And, if they were willing to listen to our advice, they might not fall into half the traps whose consequences we have to fix.

    Back to the article – good points. The best: “Another interesting note is that each time they refered to a file format…” and yet it had to do with particular apps opening those files, not the format, and those apps doing what they and the format were designed to do…

  2. Tyler Reguly
    September 25th, 2006 at 07:30 | #2
    Reply | Quote

    Thanks for the comment J_K9…

    For everyone following this story, feel free to jump over and digg this story here.

    There are also two blogs with ongoing discussions on this topic. These discussions can be found at AntiOnline and TazForums.

  3. Dumb
    September 25th, 2006 at 08:05 | #3
    Reply | Quote

    Duh…. of cause pdf are evil + can allow files to be backdoored… I call this blog entry more FUD… people should be aware the PDF’s are evil and can trick users into visiting a web site…. since when did opening a pdf = open my web browser without asking me?

  4. SELoggOff
    September 25th, 2006 at 08:26 | #4
    Reply | Quote

    excellent points in there, really makes you wonder how these so called security ‘experts’ actualy got their titles? do they just draw them out of a hat or something? i mean can i call myself a world class chef? why not, i make spaghetti quite well most of the time. and i can make a mean slice of toast…..

  5. David Kierznowski
    January 12th, 2007 at 05:02 | #5
    Reply | Quote

    HTRegz, you have mentioned some interesting points (flames aside). Unfortunately, I was only able to read this post now – months after its release. It would have been nice to have commented sooner.

    I can’t speak for pdp, although I think his work on the above-mentioned has been fantastic. We have already seen sites like MySpace and packages like phpBB being compromised through these techniques.

    As for the PDF vulnerability. You have only mentioned one of them. The one that was the real concern (ironically the one you haven’t mentioned) was the ability to “backdoor” a PDF file with code that allows an attacker to remotely enumerate and dump information (via Adobe’s web services functionality) from databases connected to the client’s ODBC.

    The other vulnerability exploited a trust relationship between the browser and Acrabat. Great for shared document management applications.

    As for the “backdoor” terminology, read my recent post:
    http://michaeldaw.org/papers/backdooring-the-web-1/

    As they say any publicity is good publicity :)

  6. Tyler Reguly
    January 12th, 2007 at 11:42 | #6
    Reply | Quote

    I don’t consider these backdoors, yes I read your recent post.. I don’t agree entirely agree with it. That’s probably because I don’t always agree with wikipedia definitions and you’ve based yours off the wikipedia definition.

    The PDF vuln that I didn’t mention, for example, isn’t a backdoor… It’s an information disclosure vuln. One of the big problems that I have is that calling everything a “backdoor” causes the type of vuln to lose it’s meaning.

    I also like other definitions of backdoor, which include “back door: an undocumented way to get access to a computer system or the data it contains” (Princeton Wordnet). Many of these features aren’t undocumented… They are designed to allow links… That’s not an undocumented way… That’s program design.. Poor program design yes… but that’s it… Unfortunately I can’t discuss this more now, but I’d love to have an offline discussion with you on the subject.

  1. No trackbacks yet.