btceic (OP)
|
|
July 17, 2013, 12:07:08 AM |
|
|
|
|
|
|
|
|
"Bitcoin: mining our own business since 2009" -- Pieter Wuille
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
Foxpup
Legendary
Offline
Activity: 4312
Merit: 3037
Vile Vixen and Miss Bitcointalk 2021-2023
|
|
July 17, 2013, 11:56:09 AM |
|
Looks like Bobby Tables decided to pursue a career in photography.
|
Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
|
|
|
livan
Newbie
Offline
Activity: 24
Merit: 0
|
|
July 18, 2013, 08:27:49 AM |
|
I have the impression that this a rather new development. I'm not sure of the scale of the threat, or how well anti-virus software is prepared to cope with it.
|
|
|
|
Foxpup
Legendary
Offline
Activity: 4312
Merit: 3037
Vile Vixen and Miss Bitcointalk 2021-2023
|
|
July 19, 2013, 02:17:26 AM |
|
I have the impression that this a rather new development. I'm not sure of the scale of the threat, or how well anti-virus software is prepared to cope with it.
It's not a new development at all. Basically how it works is, the EXIF tags (which can contain any text the author of the image wants) of an image on the web server contain PHP code. Normally, this wouldn't be a problem, since the PHP server should never treat EXIF tags (or any other arbitrary text read from an external file) as code to be executed by the server. But the PHP code on the server contains a function which can indeed treat arbitrary text as code to be executed, and the EXIF tags were (stupidly) fed to this function despite it being well-known that such functions should never be allowed to operate on external data without safeguards for exactly this reason. This allows whoever created the image to execute whatever code they want on the web server and basically take full control over it. Anti-virus software won't help, since it's not a virus - it's just ordinary text in a location where ordinary text normally exists. The real threat comes from poorly-written PHP code treating this text as though it were code. Anti-virus software can't protect against stupidity.
|
Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
|
|
|
mprep
Global Moderator
Legendary
Offline
Activity: 3752
Merit: 2607
In a world of peaches, don't ask for apple sauce
|
|
July 19, 2013, 09:25:54 PM |
|
Sounds scary. Soon .txt files won't be safe to use.
|
|
|
|
Foxpup
Legendary
Offline
Activity: 4312
Merit: 3037
Vile Vixen and Miss Bitcointalk 2021-2023
|
|
July 20, 2013, 04:42:07 AM |
|
Soon .txt files won't be safe to use. They aren't safe to use if you're dumb enough to write a program in such a way that it treats every text file it reads as a list of commands to be executed. This exploit would never have happened if the author of the PHP code wasn't a complete idiot. You don't pass arbitrary text read from external files into a function that can execute that text as code. That's the number one thing that non-morons don't do.
|
Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
|
|
|
scintill
|
|
July 20, 2013, 04:55:59 AM |
|
the EXIF tags were (stupidly) fed to this function despite it being well-known that such functions should never be allowed to operate on external data without safeguards for exactly this reason.
It looks like that wasn't actually the attack vector, just the way they hid their backdoor. I think they infected some other way, then buried the preg_replace/exif stuff deep in the code hoping nobody would notice it. It would look relatively harmless (though perhaps strange to someone who knew the code), as it's not obvious it is eval'ing a string, and the actual string is hidden out of the source in the image file, so it doesn't stand out. Pretty clever. Not so clever of whoever thought mixing eval into a regular expression function was a passable idea.
|
1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
|
|
|
btceic (OP)
|
|
July 20, 2013, 12:59:46 PM |
|
Sounds scary. Soon .txt files won't be safe to use. well, you can hide just about anything inside its alt stream, how to execute it is another story though.
|
|
|
|
mprep
Global Moderator
Legendary
Offline
Activity: 3752
Merit: 2607
In a world of peaches, don't ask for apple sauce
|
|
July 20, 2013, 03:03:48 PM |
|
Soon .txt files won't be safe to use. They aren't safe to use if you're dumb enough to write a program in such a way that it treats every text file it reads as a list of commands to be executed. This exploit would never have happened if the author of the PHP code wasn't a complete idiot. You don't pass arbitrary text read from external files into a function that can execute that text as code. That's the number one thing that non-morons don't do. So I guess if there is someone to harm us, he will find a way to bypass any security and make sure you get hit from the direction you least expected. If this is happening then it's a matter of time when malware might cause actual damage to humans, not just to their devices.
|
|
|
|
mufa23
Legendary
Offline
Activity: 1022
Merit: 1001
I'd fight Gandhi.
|
|
July 20, 2013, 03:10:33 PM |
|
Wow, interesting read.
|
Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
|
|
|
FirstAscent
|
|
July 20, 2013, 05:08:31 PM |
|
This all sounds like a non event to me.
You mean a file can contain code? Wow. Never knew!
You mean a program can be written to execute code? Wow. Never knew!
|
|
|
|
mprep
Global Moderator
Legendary
Offline
Activity: 3752
Merit: 2607
In a world of peaches, don't ask for apple sauce
|
|
July 21, 2013, 11:46:30 AM |
|
This all sounds like a non event to me.
You mean a file can contain code? Wow. Never knew!
You mean a program can be written to execute code? Wow. Never knew!
People knew, it simply didn't pop into our heads until someone brought up a specific example.
|
|
|
|
|