TAZ Forum Community

Full Title: Backdooring File Type X or Making a program do what it’s supposed to do…
Original Posting: http://www.computerdefense.org/?p=110

You know what I’m fed up with… people making “security” related discoveries that aren’t really discoveries… they’re just common sense….

There are two guilty parties here that I’m extremely unhappy with: David Kierznowski and pdp. David actually made the news for his Backdooring PDFs blog…. pdp has had several Backdooring .Mov, Backdooring Flash, and Backdooring MP3s..

Let’s take a look at each of these..

* PDF - Portable Document Format - A Document that is entirely self-contained and cross platform… These documents have to, essentially, be “compiled” from other documents… sort of like an executable being compiled from source code. It would make sense that they support their own programming language, which in this case happens to be a javascript variant. This isn’t a software flaw, it’s functional software being utilized completely for malicious reasons.
* MOV - Movile Files - These files quite commonly open a link to the artists page or the movies page… They have the ability to open a link and that’s exactly what they are doing.
* Flash - This was one I really enjoyed reading… How Flash could have a trojan or virus contained in it… and then he demonstrates a javascript alert… Again… the program opening a page exactly like it was written to do.
* MP3 - MPEG-1 Audio Layer 3 - This was my favourite one… this isn’t actually MP3s… it’s playlist files that can be named mp3.. So a whole lot of FUD over nothing. If an MP3 is 100 bytes and advertises itself as a full song… obviously it isn’t.. Again though, it’s a playlist file functioning as it is supposed to.

Everyone of these blog posts by both of them is nothing more than FUD generation. The fact that they invested so much time into these “vulnerabilities’ tells me something about the…. something I think everyone can come to on their own without me mentioning it.

Then there’s the issue of calling these backdoors… Do they know what a backdoor is… by definition this is not a backdoor

A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be a modification to a legitimate program.

These people really make me wonder… why not a new one on how to backdoor an exe by writing the source code and compiling it. These all rely on the fact that your browser allows javascript to execute (except perhaps the PDF one because Acrobat includes it’s own version of javascript)… These should be called “Covert ways to enter a javascript statement into a browser”… They aren’t vulnerabilities and they are not backdoors… They are legitimate uses of the software. Another interesting note is that each time they refered to a file format… However the PDF “backdoor” requires Acrobat… it doesn’t work on other PDF Readers… the MP3 “backdoor” requires Quicktime and the browser plugin (since it’s the browser that actually executes the javascript) and like I mentioned it’s not actually MP3s but renamed playlist files. The MOV one is another example that requires Quicktime and more specifically the quicktime plugin…

Perhaps the message should be — Don’t allow your browser to execute javascript without your permission…. or don’t open files you don’t trust… but to suggest an inherent flaw in either a file format or a type of software because it’s doing what it’s supposed to do…

Consider this my security advisory — Programs do what they are coded to do… and you may not be aware of all their functionality.

Peace,
HT

ERRR...


"(or a cryptosystem, or even in an algorithm)"

... are computer systems also..


"is a method of bypassing normal authentication or obtaining remote access to a computer"

.. is not necessary to be "remote"


"The backdoor may take the form of an installed program (e.g., Back Orifice)"

... are computer systems anyway!


"or could be a modification to a legitimate program"

... sounds like a virus or reverse engineering!


Backdoor is a "hidden code (production phase) to permit a bypassing over the usually system operating schema, is not an error also, is a developper hidden system manipulation!!!"



you'll need read more about that "backdooring" and security schemas...




i agree




He's not an original developper for this technologies, for how i see the David publications are only an "attempts of exploiting" this technologies, not backdooring or backdooring discoverer ...



"peace"



AzRaEL
[NuKE] high council

I don't need to read moer on "backdooring" That is a definition, not my words, as for the rest of what you said... You just didn't grasp the english behind it because none of your comments added to that.



It isn't a backdoor... and he's probably not the original developer.. companies have been added javascipt to pdfs and having them open links for years... He's just the first one to put an alert in it and say it was a backdoor.

I've submitted this story to digg... so anyone who's interested in helping out -- http://digg.com/security/Backdooring_File_Type_X_or_Making_a_program_do_what_it_s_supposed_to_do

Eg, also note I'm promoting this site in the comments of my blog

Hi HT,

Nice and thanks for the plug on your blog

The only thing i would say about the PDF is that yes your right, its not a flaw as such, its the program being used for malicious purposes and although it doesn't require a fix as such it is something that is definetely worth "tidying up" when they release the next major version...