||This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations. (April 2012)|
Graphics Interchange Format Java Archives (GIFAR) is malware that allows an attacker to piggy back off the victim’s HTTP cookies. A GIFAR is a photo that can "borrow" a victim's online credentials, possibly taking over the web user's session.
In this attack, GIF Java archive files (GIFARs) run code through anyone viewing (opening) such a file. This method gets around the browser-imposed "same-origin policy" to bypass the usual content validation. Attackers reference this malicious image in the applet code on the hosted site, establishing cross-domain communication with the target domain. The GIFAR exploit has been demonstrated as an effective attack against Web applications such as Facebook.
This technique works because GIF images (along with other file type combinations that host a general class of vulnerabilities such as .doc, .jpg, etc.) store their header in the beginning of the file, and JAR (ZIP) files store their data in the end.
GIFAR is not executable code that gets run when you view an image. For the attack to work, the victim must be logged into the Web site that is hosting the image. Any site that includes login sessions with user-uploaded pictures can be vulnerable.
SUN and the JRE
|This section does not cite any references or sources. (April 2012)|
In GIFARs, the Java VM recognizes the JAR part which is run as an applet in the victim's browser as though it were written by the Web site's developers.
Though Sun has patched the Java vulnerability (in advisory #244988 (as of versions JDK and JRE 6 Update 11 (December 2, 2008), JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19)., because some users run installed versions of Java pre-dating the JRE patch, this issue needs to be addressed as an issue of browser security. Sun's patch does not, however, stop applications from taking ownership of user-supplied content.
From Sun; “...applets are not allowed to open network connections to any computer, except for the host that provided the .class files.” One is capable of uploading a GIFAR to a site as they will validate as images you can include an embed pointing to that GIFAR in another page (hosted anywhere) and make people stumble onto it. It will be allowed to make any network connections it wants to that site in their name. With the applet running, the hacker(s) can access the victim's account(s).
If the application is able to restrict the upload of malicious files, it solves the problem without worrying about which version of JRE the client is running. When a Web app chooses to take ownership of a user-controlled file, serving it from their domain, it weakens the integrity of the domain. The impact of these attacks could also be minimized if Web applications that took user-controlled files served those files from a “throw away” domain.
- LZW and GIF explained
- Web Graphics Discusses and illustrates the differences between GIF, JPEG and PNG formats
- hijacking HTTP sessions via crafted files
- Java Archive (JAR) Files
- JAR File Overview
- A photo that can steal your online credentials