Exploit Delivery via Steganography using Stegosploit Tool v0.2

Exploit Delivery via Steganography using Stegosploit Tool v0.2

"A good exploit is one that is delivered in style" Saumil Shah

Since the presentation of Saumil Shah's Stegosploit Tool v0.2 at Hack in the Box Security Conference in Amsterdam, there were some heated discussions about the method and its possibilities. We talked to Saumil Shah from NetSquare about his Stegosploit Tool v0.2, and here is a deeper insight into the method.

OS: What distinguishes the Stegosploit method from known image exploit methods?

Saumil: For example, CVE-2014-0282 is a Use-After-Free browser exploit, which is traditionally delivered using HTML+JS. In its HTML+JS form, it gets detected in transit and also at the endpoint. With Stegosploit, the entire exploit code gets embedded as pixels, and the decoder JS is fused together with the image file as a polyglot. When the polyglot is displayed in the browser, the browser can be tricked into rendering it as HTML. The viewer simply sees the image in the browser, but it actually triggers the embedded JS decoder code, decodes the malicious exploit embedded within the pixels and triggers it.

The decoder code does not contain any offensive code. No signature or detection mechanism will trigger on the decoder JS. The exploit code is now transformed to image pixels, and that also bypasses all detection. My goal was to transform malicious code into non-detectable forms, and deliver them via only images.

See http://www.slideshare.net/saumilshah/stegosploit-hacking-with-pictures/9 - Slides 9, 10, 11, 12 explain the overall goal.

OS: Please give some examples of how the method could be used for attacks today.

Saumil: It all depends on what type of attack the attacker wants to deliver via Stegosploit. In a pen-test, I used it to trigger a drive-by browser exploit via an application that allowed upload of profile photographs. The application had a zoom in feature, that when the user clicked on the photo, it would open the photo in a new popup. By itself, the photo was rendered via an <img> tag, but when zoomed in, it opened directly in the browser via a URL. The browser then interpreted it as an HTML file, and the exploit was triggered.

A second scenario was to deliver the exploit to a remote user by uploading it to a document sharing service (very similar to Dropbox), and sending a direct link to the victim. In this case, the attacker does not need to host a dedicated web server. The attack would be traced back to the document sharing service, and then the trail would be lost.

OS: What can antivirus software and browser manufacturers do in regards to prevention?

AV software totally fails. Here is a screenshot from a private "virustotal". There is one false positive, but all other AV's fail to detect it.

Browser manufacturers need to improve upon several things:

• Built in detection for polyglots. (easier said than done)
• Disabling content sniffing
• Adhering to strict HTML parsing (but MS Frontpage assured that even shitty HTML will always be parsed, and ever since, no one has dared to enforce strict HTML parsing)

Stegosploit demonstrates stealth techniques to evade payload detection in transit and at rest. It is a matter of time until these techniques become mainstream.

The few thoughts I have in this area are as follows

• Detection of malicious code by signatures or static behaviour analysis is rendered ineffective by such attacks. Detection and defenses have to move outside the usual realm of perimeter appliances and endpoint security solutions
• Browser vendors need to start thinking about detecting polyglot content before it is rendered in the DOM. This is easier said than done
• Server side applications that accept user generated images should currently transcode all received images. For example, transcode a JPG file to a PNG file with slightly degraded quality, and back to JPG. The idea here is to damage any steganographically encoded data

I began experimenting with exploit delivery techniques involving containers which are presumed passive and innocent - images. As a photographer, I have had a long history of detailed image analysis, exploring image metadata and watermarking techniques to detect image plagiarism. Is it possible to deliver an exploit using images and images alone?

My first attempt was to convert Javascript code into image pixels, each character represented by an 8-bit grayscale pixel in a PNG file. The offensive Javascript exploit code is converted into an innocent PNG file. The PNG image is then loaded in a browser and decoded using a HTML5 CANVAS. Decoding is performed via Javascript. The decoder code itself is not detected as being offensive, since it only performs CANVAS pixel manipulation.

Since 2010, I have been working on several techniques for sophisticated exploit delivery using images. In parallel, I have also been working on researching memory corruption bugs in browsers via stack overflows, heap overflows, pointer corruption and Use-After-Free bugs. Memory corruption bugs have become increasingly difficult to exploit in the presence of exploit mitigation technologies such as DEP and ASLR. A third area of my research involves bypassing DEP and ASLR using Return Oriented Programming and "infoleak" bugs. The results of all my research have led to the Stegosploit toolset, which I shall use to demonstrate delivering and triggering a full-blown exploit for the Internet Explorer CInput Use-After-Free vulnerability (CVE-2014-0282) with DEP and ASLR bypass, using a single image.

My motivation for image based exploit delivery is simple - to study the effectiveness of image based exploit delivery for complex drive-by exploits, explore ramifications on exploit detection and evolve new mitigation techniques to combat future threats. However, my main motivation still remains delivering exploits in style, and combining them with my photography!

Steganography is a well established science. There are several steganography algorithms which not only avoid visual detection but also provide error correction and the ability to survive basic image transformation. Popular algorithms such as F5 have been implemented in Javascript.

Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. Using Stegosploit, it is possible to transform virtually any Javascript based browser exploit into a JPG or PNG image.These payloads are undetectable using current means.

Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.

Most drive-by browser exploits are written in code which is interpreted natively by the browser (Javascript) or by popular browser add-ons (ActionScript/Flash). When it comes to browser exploits, typical means of detection avoidance involve:

• Character level obfuscation of the exploit's Javascript code
• Splitting the attack code over multiple script files
• Splitting the attack code between Javascript and Flash using ExternalInterface
• Using OLE embedded documents

Exploit detection technology relies upon content inspection of network traffic or files loaded by the application (browser). Content is identified as suspicious either by signature analysis or behavioural analysis. The latter technique is more generic and can be used to detect 0-day exploits as well.

To deliver an exploit in style, we shall establish the following goals:

• No data to be transmitted over the network except JPG or PNG files
• The image displayed in the browser should have no visible aberration or distortion
• No exploit code should be present as strings within the image file
• The image should decode the exploit code upon being loaded in the browser without any external user interaction
• Only one image shall be used for this exploit

Stegosploit's iterative encoder tool uses the browser's built in JPG processor library via HTML5 CANVAS. All steganographic encoding is performed in-browser using CANVAS. Browsers use different JPG processor libraries. A steganographically generated JPG from Firefox will not accurately decode in Internet Explorer, and vice versa. A future goal is to achieve cross browser JPG steganography compatibility. For now, PNG provides cross browser steganography compatibility because it employs lossless compression.

A high level overview of the process of triggering the exploit

1. Load the HTML containing the decoder Javascript in the browser.
2. The decoder HTML loads the image carrying the steganographically encoded exploit code.
3. The decoder Javascript creates a new canvas element.
4. Pixel data from the image is loaded into the canvas, and the parent image is destroyed from the DOM. From here onwards, the visible image is from the pixels in the canvas element.
5. The decoder script reconstructs the exploit code bitstream from the pixel values in the encoded bit layer.
6. The exploit code is reassembled into Javascript code from the decoded bitstream.
7. The exploit code is then executed as Javascript. If the browser is vulnerable, it will be compromised.

Time-Shifted Exploit Delivery

Time-Shifted Exploit Delivery is a technique where the exploit code does not need to be triggered at the same time it is delivered. The trigger can happen much later. Assume that we deliver kevin_polyglot as an image file via a simple <img> tag. The web server serving this image can choose to provide cache control information and instruct the browser to cache this image for a certain time duration. The HTTP Expires response header can be used to this effect. Several days later, a URL pointing to kevin_polyglot is offered to the victim user. Upon clicking the link, the browser will detect a cache-hit and load the "image" into the DOM without making a network connection. The exploit will then be triggered as before, with the exception that at the time of exploitation, no network traffic will be observed, as is illustrated by the diagram.

The Stegosploit Toolkit v0.2 contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) is presented with this paper demonstrating the Stegosploit technique. Stegosploit comprises of tools that let a user analyse images, steganographically encode exploit data onto JPG and PNG files, and turn the encoded images into polyglot files that can be rendered as HTML or executed as Javascript.

The current version of Stegosploit - v0.2, demonstrated at HITB 2015 Amsterdam - combines the decoder HTML and the steganographically encoded image into a single container. If opened in an image viewer, the contents show a perfectly valid JPG image. If loaded into a browser, the contents render as an HTML document, invoking the decoder code and triggering the exploit, while still showing the image (itself) in the browser! This is a polyglot document. For a detailed discussion on polyglots, please read up the excellent write-up by Ange Albertini @angealbertini in PoC||GTFO 0x06.

Stegosploit | Proof of Concept

A detailed paper and the Stegosploit v0.2 toolkit are included in the issue of PoC||GTFO 0x08, released at REcon 2015. The toolkit is distributed as a PNG polyglot within the PoC||GTFO PDF, which is also a polyglot!

The PNG file - stegosploit_tool.png contains all the tools. For a simple demo, you can save it to the local desktop, rename it to HTML and open it in a browser. Clicking the lioness will trigger the decoder and it will extract the toolkit from the pixels and download it. For a complex demo, this PNG has to be uploaded somewhere, and techniques such as MIME type confusion or Content Sniffing have to be used to trick the browser into believing it is an HTML file.

References:

• https://www.alchemistowl.org/pocorgtfo/pocorgtfo08.pdf
• http://blog.exploitlab.net/2015/06/stegosploit-was-never-exploit-my-paper.html
• https://conference.hitb.org/hitbsecconf2015ams/speakers/saumil-shah