And make use of a free online tool to manipulate the EXIF data. “You don’t have to have coding experience or use any special tools, you just need to understand PHP.
“I would say you would need moderate expertise,” Sigler said. He said that the EXIF-reading PHP function is extremely common in multiple pre-packaged website tools and website plugins, so it’s not that difficult of an attack to pull off if one understands how PHP works. It’s simply a matter of finding a website with one that allows the attacker to point it at their malicious uploaded data.” “In that situation, it would be a matter of uploading the malicious image and triggering the hidden PHP code in the EXIF by using the existing PHP file that the website uses to read that EXIF data. “It’s likely that a website offers the ability to upload images and also has an existing PHP file that allows the site to parse out the EXIF data,” Sigler explained. PHP has a built-in function for extracting that image EXIF metadata and reading it - for instance, as an accessibility feature for the visually impaired. This image was seen carrying a malware dropper in a campaign in Latin America.ĮXIF, or Exchangeable Image Format, is a standard that specifies the characteristics of images, sound and ancillary tags used by digital cameras, scanners and other devices – things like file name, size, resolution and so on. This is pretty smart, and we don’t see this technique that often.” He added, “Web-based firewalls and malware scanners and the like tend to whitelist image files. “PHP provides a nice function that allows you to read out and parse EXIF data, so if you target a website that allows you to upload images and also uses PHP scripts, you can essentially upload any malware you want,” explained Karl Sigler, a security research manager at Trustwave SpiderLabs.
But the unique benefit of this specific technique is that it can be used to compromise even a fully patched, up-to-date website with no obvious vulnerabilities – just by uploading an image to a website. Hiding malware in an image file is a well-known way to circumvent detection –many filters and gateways let image file formats pass without too much scrutiny.
According to research from Trustwave shared exclusively with Threatpost, a forensic investigation showed that an adversary is implanting PHP code into JPEG files’ EXIF headers in order to upload malware onto targeted websites. An unusual steganographic technique that an attacker can use to implant a malicious webshell on unsuspecting websites has been spotted in Latin America.
0 kommentar(er)
