How to Create a GIFAR

At BlackHat, security researchers Billy Rios and Nathan McFeters presented "The Internet is Broken" which contained information on GIFARs, a term meaning GIF image files combined with Java ARchives (JAR).  These files could be uploaded to sites that allow image uploading (such as many site's member photos), to run code in the context of that site - getting around the "same origin policy" that browsers impose.  This works because GIF images (along with many other file types) store their header in the beginning of the file, and ZIP archives (which is what JAR files are made of) store their data at the tail.

The folowing video demonstrates this technique.

Comments

did i understand correctly that..

so, makes it possible to allow normally safe considered site to run java,
for example - i use this gifar saying it's an applet in my site and browser runs as applet just because i stated so, hmm nice

Re: did i understand correctly that..

Yes, but it doesn't work any more. Sun has fixed it as of JDK and JRE 6 Update 11, JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19.

See the update to this post for more information.

- Christopher

Didn't work =\

I tried to recreate this following each step exactly the same and it didn't work. The applet will load when the file ends in a .jar extension, but can't find the class when it's a .gif.

Server log looks like this:
"GET /gifar/gifar2.gif HTTP/1.1" 200
"GET /gifar/gifar.class HTTP/1.1" 404
"GET /gifar/gifar/class.class HTTP/1.1" 404

I tried it on Firefox, IE and Opera / Ubuntu 8.10, Windows XP SP3
Any ideas?

kopies

i have watched your video, but i don't understand

would you tell me step by step by using picture and text??