 Hello, and welcome to the fabulous executable image exploit. What I'm going to show you is a very, very simple set of concepts. And the exploit is not so much the technique. It's what you do with the technique, okay? So here's what you're going to learn. You're going to learn the origins of this little exploit and some of the quote-unquote legitimate reasons for doing some of this stuff. You're going to learn the difference between what I refer to as executable and static images. You're going to learn how to create images with PHP and the GD library. Importantly, you're going to learn how to fool your own server into executing what looks like an image. So it'll interpret it as a script instead of sending it off to a browser as an image. And I'm going to teach you how to do some really cool things with web 2.0 websites. What you will not learn, okay? This is not the GDI exploit that some of you might be familiar with. What that was, was they played around with the headers of JPEG. And basically they screwed up the, I think it was the file length. They gave it a negative number and that forced buffer overflow or something. And Windows machines would then execute code that was in the HTTP header of the file. This is not that exploit. This is something different. This works on images that people download from your server, okay? This is not a client-side exploit. This is something, again, that runs off of a server that you control. It's actually, that's not quite true. There's one little thing I'm going to show you here just to kind of warm things up as soon as the browser loads. There we go. If you look up here in the location here, this is actually a JPEG that ran a piece of JavaScript. So you could do Ajax or any kind of cool stuff like that. Okay, some of the goals. You're going to learn how to program these executable images. You're going to learn how they can be applied to do some interesting things. And again, I want to get you guys started doing your own things. I'm going to give you some examples of things you can do. But I know you guys can do better than what I came up with. So my email address is on every one of these screens. So take it down. If you do something interesting, I want to know about it, okay? Also, this is not a code-heavy demonstration. There's a little bit of code. I think most of it is on the CD that went out, the conference CD. What I'm going to do is I'm going to take this presentation and put it on my website, which is also up there, www.shrink.com. It'll be in the lower left-hand corner down where it says, Fun with Bots. That's where you'll find this presentation. Okay, who am I? I've been writing webbots for a long, long time. I've been writing webbots for about 11 or 12 years. Started off doing a lot of telemedicine kind of stuff with webbots. Now I do a lot of stuff with Russian companies. This is my eighth DEF CON. This is the third time I was a speaker. First time, to tell you how much things changed. First time I did DEF CON was DEF CON 5. And I felt to my employer that I needed to legitimize going out to DEF CON. So I covered it for Computer World Magazine. So I had an alibi. Based in Minneapolis, which unfortunately has been in the news way too much this week, for all the wrong reasons. This week we're also opening an office in India. Most of you probably know it as Madras, but they changed the name now. It's called Cine. In April, I had a book come out with my friends at Nostarch Press called WebBots, Spiders, and Screenscrapers, now available in Italian. And this month I also have the cover story on PHP Architect. Okay. Origins of the exploit. Originally, my goal was to come up with a really good MySpace tracker. And I had a couple of reasons for doing that. I mean, there are, what do they say, 200,000 sexual predators on MySpace. It'd be nice to kind of keep track of these people. I was thinking you could maybe make a tool for parents to kind of monitor what their kids are doing with MySpace or who their friends are. That was kind of the goal. That and a lot of curiosity. So what I wanted to do is I wanted to add images to people's pages like you can do with MySpace. In fact, a lot of web 2.0 sites where you can, you know, there's like message areas where you can upload messages and you can include a little HTML and you can refer to images that are on different servers. That's what I wanted to do. And I wanted to put up an image that looked like this. Basically a simple little PHP program with a little thing on a query here. Well, I got frustrated because MySpace doesn't let you do that. And they've got good reasons for not letting you do that and then we'll talk about those later. In fact, most web 2.0 sites, the good ones, they won't let you post stuff like that. If you have the source for an image tag, if it's not a JPEG, if it's not a GIF, if it's not a PING, they will not let you put it up there. They'll filter it out. And the reason they do that is because it's a program. It's not an image. You know, it can be executable and it might still send an image to someone's browser. It'll look like an image. But in reality, it also has the ability to write cookies, track environment variables, access databases, send instant messages, send faxes, blotty blotty. Anything a program can do, you can do if you insert a PHP program as a source for an image. So an executable image is a program. It's not just a static piece of data. It's an actual program. And there are some legitimate uses for this kind of stuff. A lot of times, people will store images as blobs or something in a database and they'll use a piece of dynamic code to pull it out of the database and send it out. It's perfectly legitimate. A lot of times, people will also use executable images like this to put watermarks on things so you can tell when an image was downloaded, who did it, at what time, what their IP address was, all that kind of stuff. You just kind of log that kind of stuff in the image. It's also used a lot in CAPTCHAs where you want to have an image, but you don't want the file name to represent what's in the image, so it's all done behind the scenes with a dynamic image. And that's what we're talking about here. We're talking about dynamic images. So here's a quick little piece of code that shows how some of this works, how you would pull stuff out of a database. So here's our query. We've got something called show image and we're giving it on the query string an ID of 34. So in our imaginary world here, we've got a table called dbtable and we've got images that are in a column called image and we've got an ID associated with each one of those. So you can do a little query, pull out the image and create a header. This is your MIME type for the media and then you just echo out the stuff you got back in the database. I usually like to base 64 and code all this stuff because that way you're guaranteed that you'll never ever have any toxic bit combinations that might be represented as some special character or something. This one? I have something similar to this. Do you see a bug? There might be a bug, I don't know. This is the general concept. I can tell you, no I don't. This is heavily abstracted. Did I answer your question? To do something like this, it doesn't require any special graphics libraries. You have to previously store the image as a blob in the database. Images can be referenced by an index or by a name, what have you. This is really useful in cases where your web server doesn't have right permissions on your files. In case you want to upload user uploaded images but you can't save them to a file, you can store them in the database usually. Here's an example of this. This is not taking it from a database but it's taking the information from the query string. The way this would work, you come in, you make this thing look just like the source for an image tag, you send out a header, you create the image. This is using GD, that's a library that's packaged with PHP. You grab the name of the image and this image should be sitting someplace on a file. It creates a handle. You create the image, send it out to the browser, destroy the image so you don't run into memory issues in your server, do an exit and get out of there. The way this would look is you'd have something like this. We've got a file called shoal reference and if we hit it down here we change the data, we have one of the riviers. Simple stuff. Simple stuff. I'm showing you this because when you do one of these things you have to still masquerade as an image. It's important to be able to, in addition to doing all the cool stuff, you still have to be able to take an image and get it out to the server. You have to still mimic a real image, in other words. Here's another example. It's a little more interesting, a little more dynamic. Again, I'm going to grab an image from an ID. I'm going to define a font and a color for the font. I'm going to have some executable content in this case. Basically it's just a time stamp. I'm going to change the angle at which it's rendered from 0 to 90 degrees. Then again, create the header, send the image out, destroy the handle, and exit out of there. So the way this looks is a couple of images and every time I flow the page you can see the image is different. Again, I'm just showing you this so that you can see how this kind of stuff is done but you still have to be able to mimic an actual image when you're doing this kind of stuff. Real quickly, an executable image can display images that are stored in databases. You can programmatically select images that you want to display. You can dynamically produce image content but you can also do everything that a regular script can do. In other words, you can read refer variables to see the page that was the viewer was looking at before they came to the page with your image on it. You can also see the query string in the case of what I was trying to do that was really important because I wanted to track users on MySpace and that's where that information was kept. You can also read and write cookies and you do this obviously to track individuals. This actually also works across domains and that's kind of an interesting thing and I'll show you some reasons for it to be interesting here in a bit. And you can keep track of histories of stuff so you can store all your stuff that you've found in a database. And again, you can also communicate whatever you want to communicate when these images are downloaded. So here, for example, on top we've got the header that we've seen a number of times. On the bottom we've got the place where it's actually creating the image but in between this is how you would set a cookie. This is how you would get a referrer variable and here's how you would get a query string. And primarily those are the things that you really want to do. Those are the useful things. The problem with this, this all looks great, right? The problem is the sites you want to use this on won't allow you to do it. They won't let you do what's on top but they won't let you do what's on the bottom. Anything that looks like something that's not a real image MySpace, in particular, in my case, would not allow you to upload. They would just parse it away, filter it out. So here's what you do. If you're running Apache go into the .htaccess file and you want to add a little line of code that will tell your server that every time you see a file that's requested and if it's got a .jpg extension you're going to interpret that as a PHP file. You don't have to do this with jpegs. You can do it with any other kind of image type. You can do it with GIFs, you can do it with Pings. For that matter, you don't have to do this with PHP. You could also do this with Perl or you could do it with whatever you're using. .what? If you knew how to render them in real time, yeah. Then you could. Sure. The question was, can you do that with MOVs? Quicktime. Interesting things with Flash, too. Yeah. As you can hear. Basically what this does is it tells Apache to parse all the files in this directory or in all subsequent directories. If they have the extension of a .jpg or, again, any image it's going to be parsed as though it's an actual script. Once it's done you can have an image that looks like this. For example, I've got an example right here. This is an example we had before but this time if I come in here and do a view image notice it still works but now we're looking at a .jpg. We're not looking at a... There's nothing here that would identify this as being active. It's just a plain old .jpg as far as anyone's concerned but in reality it's a script that's running dynamically. Yes, question back there. You had a question for somebody in the back of the room. No problem. No problem. I can go back there and that'd be fine. Applications. These can be used on a lot of web 2.0 websites which are basically sites where the users build the content. Any place where there's a bulletin board any place where there's a message board any place where you're allowed to post content you can use this kind of image. So that would include places like Craigslist eBay Myspace FARC I haven't found a use for this one but you can actually do it on PayPal as well. If you are a PayPal merchant you can brand the checkout process with a banner image that can be a dynamic image as well. Again, I haven't figured out a use for that yet but that is something you could do. Yes. Updating the latest bid on eBay. I've got some eBay examples I'll show later. But good, you're thinking. So when you do something cool I want to know about it. You can also use this technique in some non-traditional web environments. You can use it in news groups because a lot of people use browser based news group readers. You can use it in email all kinds of cool stuff. So here's what I started doing. I would go into Myspace and in that area where you can leave people a little love send them a little message basically you would post your script, hey, how are you doing? Haven't seen you for a while and here's an image. This is not one of mine by the way I just pulled this off of Myspace. But you know you could put a dynamic image here and then what happens is when that person who owns that Myspace account when they come in and they're in their home page not in their profile but in their home page they look to see, oh, friend request cool, they go click on that or new messages or new comments they click on those things when they get to the point where they're looking at your image their user ID is exposed in the server HTTP refer and in the case of Myspace that's really cool because in their query string you've got the friend ID which is their user ID which basically will tell you exactly who they are in Myspace and then if you write a cookie to them anytime they come back to your page even if they didn't if you didn't capture their their query string again the fact that you wrote a cookie to them every time they come back they're going to know who they are so you're going to be able to track them that way so here's some fun you can have with Myspace you can write an application that shows the viewing habits of all your friends by sending each one of them a message that contains an executable image okay so you can capture this information maybe you send it in an email and they say here, look at this image and they look at it you get the cookie on their browser and then when they come to any of your other dynamic images on Myspace you can say, oh, I know this person I wrote their cookie here's something else I think it would be kind of a fun thing to do once you've got people's IDs and you've written your cookies you could show one set of images on Myspace to all your Myspace friends and another set of images to everybody else which would be kind of cool you can use these same cookies to track people's movements to other sites to again like eBay, Craigslist, what have you and since your cookies all belong to your domain wherever your executable images are and there could be multiple images but they're all on the same domain, they're on your domain your cookies will at least appear to function across domains let me show you what I'm talking about here so if you're on eBay putting your browser on eBay eBay is going to write you a cookie if you're on Myspace Myspace is going to write you a cookie but the server on eBay and the Myspace server they cannot see each other's cookies however if you have an executable image on each one of those and they're both coming from your server one domain, right you can say oh I wrote you a cookie when you saw my image on eBay and then I see that you're also at my Myspace page and I know that's the same person because I wrote you a cookie even though you picked them up from two different domains so this is what's called third party cookies so example if Myspace writes you a cookie and then an advertiser writes you a cookie that advertiser's cookie is called a third party cookie now you might be saying you can't do that browsers don't let you do that this isn't 1996 well actually it is 1996 the default configuration for Firefox enables third party cookies in fact it's really hard to turn it off you can't do it from the tools area there's no simple configuration what you need to do is type about colon config in your location bar and then it's way down it's probably like the 200th command you need to change the cookie behavior the default from 0 to 1 pretty obvious, right that's how you turn off third party cookies so obvious to say most people running Firefox allow third party cookies with Microsoft it's even easier the default configuration for IE says it's going to block third party cookies that do not have a compact privacy policy so you have to do a supply one and the way you do that is in your header right after you define your mime type if you could steal somebody's privacy compact privacy thing not a big deal and if you don't really understand it Microsoft will show you how to defeat their own so there are some things Microsoft does very very well and this is one of them I have to hand it to them this is actually a very good reference if any of you are interested in this kind of stuff okay some more fun stuff to do with executable images you could show high quality images to the members of your website but people who haven't signed up are going to see very poor quality images and this might even have a commercial use one of the things I was thinking about doing with this is selling an image service to museums because they are very touchy about having their images end up on t-shirts and what not so what you could do is you could have certain sets of people could be able to see the full images and other people not and if you wanted to you could even watermark those images so if they ever did show up someplace you would know oh wait a minute you are a member of our website I know who you are and you downloaded this image at such and such time with this IP address and we even wrote a cookie to you when you did it and now we see this image appearing other places and we really like you to take it off this is something that you are kind of referring to with ebay one of the things you could do is you could have dynamic ebay auctions and this is something that ebay would never allow you to do but you could actually change the images in your auction based on events maybe if nobody is bidding on your your auction maybe you might want to make your images different I don't know what you would do to change them somehow perhaps you could change descriptions maybe you've got text in images and you're changing the text something else you could do and this again I don't know that this is practical but I'm trying to get you guys thinking about some of the possibilities for this you could have an ebay auction set up and you could have something on craigslist at the same time so if somebody is on craigslist and they see your stuff and then they go see your stuff on ebay they can give them something different something that nobody else would see if they hadn't previously seen your ad on craigslist for vice versa it would work either way you could also use this tool to evaluate websites that you want to advertise on for example if you're on some place like Fark and you want to find out how many times people download things, how many unique IP addresses browsers all that kind of stuff IP addresses trying to figure out what parts of the country people are coming from you could do that just by posting a few images and seeing what happens theoretically you could also audit results if you were taking out ads on a place like Fark you could also do some non-reputation with emails for example you could put a executable image inside of a html formatted email and if somebody reads the email you could get an instant message because it's a dynamic image you can do anything that a program can do so if someone says, no, Mike I never got your email you can say, yeah you did you got it at 5 o'clock and I wrote you a cookie to prove it it's on your hard disk so this is another thing you can do with this kind of stuff something else that would be fun to do and again I have not figured out an application for this is to develop expiring images images with an expiration date so you throw them up in your server and after a certain time they no longer exist or they change or they're dependent on any other kind of event like when was the first time that particular person saw that image they got a limited amount of time to enjoy that image but you can do images with expiration dates on them ok, I've given you some ideas for what you can do with this here's some things that you can use to kind of move things along on your own focus on applications where images can be loaded from your server and again the most powerful things you're going to do are those things where it can happen across domains so you've got images on one domain or that are referred to from one domain images that are referred to from another domain and start to triangulate that information use cookies refer variables and also use query strings and as I showed you before it's very easy to manipulate images so if you wanted to do an expiring image or an image that fades over time or something like that it's very easy to do that kind of stuff with PHP and the GD library ok, what can you do supposing you've got a website and you don't want people doing this kind of stuff what can you do to watch what you put in your query strings because if you're putting session information if that session information is not also backed up by information that's in a cookie or something you can hijack sessions this way because you've got the query string so if you just took that query string loaded into a browser it suddenly becomes your session so be careful what you put in your query strings the other safe thing to do is that if you're going to allow people to have upload images or refer to images it's much much better to have them upload them to your server because at that point you control them and you ensure the fact that they are indeed static and not that they don't have dynamic content the downside is that it's going to take more server space and it's going to have more bandwidth that's going to use but it does remove the executable from the whole executable image thing and it also gives you the opportunity to scale images and do thumbnails and stuff like that alright that is it as I told you it's a very simple concept if you guys come up with some interesting uses for this by all means shoot me an email I'd love to hear it so yeah you have a question there's not a microphone out there is there okay talk a lot and I'll repeat the question yeah there's a couple of things you can do one of the things you can do is turn off the third party cookies and either you do that by setting your security high in internet explorer or better yet don't use internet explorer use firefox do the about config and look for that place and then change that image behavior to a one that I don't know that I don't but you know if you start doing that kind of stuff you're also going to miss out a lot of things so I think it's better to restrict how cookies are using your browser and then the other thing if you're running Norton Norton will strip off or can be set up to strip off referrers so if someone's running Norton and if it's configured properly the MySpace thing that I showed you would never work okay yes the question was executing something out of MySQL lite I'm not sure you can do that it would have to run on your server and I don't know that there would be an advantage of doing MySQL lite over doing Postgres or Oracle or anything excuse me 250k okay but I mean beyond size and price and what have you I don't see it MySQL lite I don't think is a client side database I think it okay so the cool thing and I just kind of brushed on it a little bit is the fact that you can run JavaScript in these things and basically all I did there is I set up the image the way I did the other one so that it would execute the .jpg or .jpg and it would see it as a script and instead of putting PHP in there I just put a couple of JavaScript open and closed tags and threw up an alert you don't have to do just something simple like an alert like I said you could run some really cool Ajax in there well MySpace won't know about it because MySpace says here's an image and then it's your client your browser is going to load that from your server and it's going to execute the JavaScript on the client not so much no it's not that kind of a thing well here let me show you what no let me get back to that where is it this is really pretty simple so you load the image so basically if you did this you'd file I'm looking for view there we go that took long enough that's basically all that's in the image so yeah it would be difficult to embed this in HTML but if you could get people to load the file you know like here's an image free to look at that kind of thing click on the image one more time I'm sorry get me after the talk and I'll answer your question yes yeah I think it would I think if you turned off JavaScript in your browser yeah it absolutely would but again most people don't do that because how many websites could you really use now if you turned off JavaScript you know the Ajax and the dynamic HTML and stuff that's going on so you could do that but very very few people will anybody else yes no you could you could probably do some interesting things that way absolutely yeah that's an interesting point so do one send me an email I'm going to see it work the one thing that you can't do is start an image prematurely end it insert a bunch of stuff and then complete the old image like so you're inserting stuff in the middle of an image you know what I mean so like if you've got an image you want to show and it goes off and grabs it you prematurely end it insert a bunch of stuff and then start another image and have it all interpreted that will not work and the reason that won't work is because browsers download the page they figure out all the media that they need to load they figure out what they've got in cache and then they load the individual files so that would not work that was something I was thinking about gee how could you get that to work could you insert things in the middle of images but no I don't believe you can I don't think that would work yeah sure cool the question was can you do the same thing with log rewrite and it sounds like you can can you still write cookies and everything you're using mod rewrite I gotcha sure sure so you're basically changing the name of the file yep yep that would be another way of doing the same thing absolutely yes I don't think so you know some of the things you can do is in the header there's some from the standpoint of the person creating the image there are things that you can do in the header like with dates and stuff that it'll always say okay I gotta fetch this from the standpoint of the client having these things saved in cache I don't see any danger in that because by the time they end up in your cache they're no longer dynamic they're dead they're static at that point so they're only dynamic when they're downloaded after that just an image anybody else yes well cookies will not work across browsers so if you save a cookie on firefox and someone comes and downloads the same page with internet explorer those cookies are not interoperable they're in different places so it'll work with a wide variety of browsers but it won't happen cross browser if that's what your question is but it's worked in every browser I've tried with the default settings sure the only time I've had a problem with that is I had a problem once a long time ago I don't know if they fixed this or if it was not intended to be fixed but at one point I had to run Apache on IIS and they have a problem with something called dual parsed headers where if you send like with Apache you can pretty much sit there and send out headers all day long and before you send out the first actual HTML for a while IIS excuse me yeah I was running PHP on IIS not Apache that doesn't make sense and IIS would not allow you to do that because it's dual parsed header thing and they reserved that for their own web server so you could only do it on at that time it was in T4 you could only run dual parsed headers with PHP if you were running it on excuse me I'm getting confused here it was one of those intentional bugs that Microsoft put in so you'd have to use ASP as opposed to PHP at least that's how I interpreted it but that was a long time ago I can hardly remember that I'm surprised I remembered dual parsed headers anything else well thank you very much I appreciate it