From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Graphics Interchange Format Java Archives (GIFAR) is malware that allows an attacker to piggyback off the victim’s HTTP cookies. A GIFAR is a photo that can "borrow" a victim's online credentials, possibly taking over the web user's session.

GIFAR is a Graphics Interchange Format (GIF) image file combined with a JAR file. Altered GIF files can be uploaded to Web sites that allow image hosting, and run code that works inside that site.

In this attack, GIF Java archive files (GIFARs) run code through anyone viewing (opening) such a file. This method gets around the browser-imposed "same-origin policy" to bypass the usual content validation. Attackers reference this malicious image in the applet code on the hosted site, establishing cross-domain communication with the target domain. The GIFAR exploit has been demonstrated as an effective attack against Web applications such as Facebook.

This technique works because GIF images (along with other file type combinations that host a general class of vulnerabilities such as .doc, .jpg, etc.) store their header in the beginning of the file, and JAR (ZIP) files store their data in the end.

GIFAR is not executable code that gets run when you view an image. For the attack to work, the victim must be logged into the Web site that is hosting the image. Any site that includes login sessions with user-uploaded pictures can be vulnerable.

SUN and the JRE[edit]

In GIFARs, the Java VM recognizes the JAR part which is run as an applet in the victim's browser as though it were written by the Web site's developers.

Though Sun has patched the Java vulnerability (in advisory #244988 (as of versions JDK and JRE 6 Update 11 (December 2, 2008), JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19)., because some users run installed versions of Java pre-dating the JRE patch, this issue needs to be addressed as an issue of browser security. Sun's patch does not, however, stop applications from taking ownership of user-supplied content.

From Sun; “...applets are not allowed to open network connections to any computer, except for the host that provided the .class files.” One is capable of uploading a GIFAR to a site as they will validate as images you can include an embed pointing to that GIFAR in another page (hosted anywhere) and make people stumble onto it. It will be allowed to make any network connections it wants to that site in their name. With the applet running, the hacker(s) can access the victim's account(s).

If the application is able to restrict the upload of malicious files, it solves the problem without worrying about which version of JRE the client is running. When a Web app chooses to take ownership of a user-controlled file, serving it from their domain, it weakens the integrity of the domain. The impact of these attacks could also be minimized if Web applications that took user-controlled files served those files from a “throw away” domain.

External links[edit]