More on GIFARs and Other Java Smuggling

Note: Previously I created a quick post on creating GIFAR files.  This post is to expand on the topic with additional information and a new (and much improved) video.

Background of the GIFAR technique

Currently the information I have available comes from public sources - I'd suggest reading "On GIFARs" from the Zero Day ZDnet blog and the similarly titled "On GIFARs" from Aut Disce, Aut Discede.  I wasn't able to make BlackHat this year, so I didn't see "The Internet is Broken"  presentation by Billy Rios and Nathan McFeters.

From what I've been able to gather, generally this is all about untrusted input.  Combining JAR files with other file types may allow an attacker to smuggle Java code onto web servers where it can be instantiated as an applet. 

Impact of GIFAR and other embedded code

 On the surface, this doesn't seem much worse than any other CSRF attack.  Same origin policy would prevent communication between the applet running in the context of the site, and attacker code (assuming they haven't also found a way past the same origin policy which is possible - if anyone has, it would be them).  However, because an applet is persistent during the life of the page, an applet can do more than send a single request - it can interact with the site through multiple requests.  This could bypass some protections against CSRF.  More on this in a future post.

Video - Creating GIFAR and Java embedded Word docs

I created this video to highlight the ease and flexibility of hidden code attacks.  In the video I present creating "traditional" GIFARs (GIF+JAR) and another method mentioned in a post on the GNUCITIZEN site in which Java .class files are added to Word documents.