Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Polyglot (computing)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Security implications== A polyglot of two formats may [[Steganography|steganographically]] compose a malicious payload within an ostensibly benign and widely accepted wrapper format, such as a JPEG file that allows arbitrary data in its comment field. A vulnerable JPEG renderer could then be coerced into executing the payload, handing control to the attacker. The mismatch between what the interpreting program expects, and what the file actually contains, is the root cause of the vulnerability.<ref name="ACMNOV13" /> [[SQL Injection]] is a trivial form of polyglot, where a server naively expects user-controlled input to conform to a certain constraint, but the user supplies syntax which is interpreted as SQL code. Note that in a security context, there is no requirement for a polyglot file to be strictly valid in multiple formats; it is sufficient for the file to trigger unintended behaviour when being interpreted by its primary interpreter. Highly flexible or extensible file formats have greater scope for polyglotting, and therefore more tightly constrained interpretation offers some mitigation against attacks using polyglot techniques. For example, the PDF file format requires that the [[Magic number (programming)|magic number]] <code>%PDF</code> appears at byte offset zero, but many PDF interpreters waive this constraint and accept the file as valid PDF as long as the string appears within the first 1024 bytes. This creates a window of opportunity for polyglot PDF files to smuggle non-PDF content in the header of the file.<ref name="TDPF" /> The PDF format has been described as "diverse and vague", and due to significantly varying behaviour between different PDF parsing engines, it is possible to create a PDF-PDF polyglot that renders as two entirely different documents in two different PDF readers.<ref>{{cite web |last1=Wolf |first1=Julia |title=OMG WTF PDF |url=https://fahrplan.events.ccc.de/congress/2010/Fahrplan/events/4221.en.html |website=27th Chaos Communication Congress |date=9 February 2011 |access-date=6 September 2022 |archive-date=9 October 2022 |archive-url=https://web.archive.org/web/20221009230207/https://fahrplan.events.ccc.de/congress/2010/Fahrplan/events/4221.en.html |url-status=live }}</ref> Detecting malware concealed within polyglot files requires more sophisticated analysis than relying on file-type identification utilities such as [[file (command)|file]]. In 2019, an evaluation of commercial anti-malware software determined that several such packages were unable to detect any of the polyglot malware under test.<ref name="TDPF" /><ref name="BeyondTheHype" /> In 2019, the DICOM medical imaging file format was found to be vulnerable to malware injection using a [[Portable Executable|PE]]-DICOM polyglot technique.<ref>{{cite journal |title=DICOM Images Have Been Hacked! Now What? |journal=American Journal of Roentgenology |date=April 2020 |volume=214 |issue=4 |doi=10.2214/AJR.19.21958 |url=https://www.ajronline.org/doi/10.2214/AJR.19.21958 |access-date=5 September 2022 |last1=Desjardins |first1=Benoit |last2=Mirsky |first2=Yisroel |last3=Ortiz |first3=Markel Picado |last4=Glozman |first4=Zeev |last5=Tarbox |first5=Lawrence |last6=Horn |first6=Robert |last7=Horii |first7=Steven C. |pages=727β735 |pmid=31770023 |s2cid=208318324 |archive-date=5 September 2022 |archive-url=https://web.archive.org/web/20220905193804/https://www.ajronline.org/doi/10.2214/AJR.19.21958 |url-status=live |url-access=subscription }}</ref> The polyglot nature of the attack, combined with regulatory considerations, led to disinfection complications: because "the malware is essentially fused to legitimate imaging files", "incident response teams and A/V software cannot delete the malware file as it contains protected patient health information".<ref>{{cite web |title=Ubiquitous Bug Allows HIPAA-Protected Malware to Hide Behind Medical Images |date=17 April 2019 |url=https://threatpost.com/hipaa-protected-malware-medical-images/143890/ |access-date=5 September 2022 |archive-date=5 September 2022 |archive-url=https://web.archive.org/web/20220905193806/https://threatpost.com/hipaa-protected-malware-medical-images/143890/ |url-status=live }}</ref> ===GIFAR attack=== A '''Graphics Interchange Format Java Archives''' ('''GIFAR''') is a polyglot file that is simultaneously in the [[GIF]] and [[JAR (file format)|JAR]] file format.<ref>{{cite web |last1=Byrd |first1=Christopher |title=How to Create a GIFAR |url=https://www.riosec.com/articles/how-to-create-a-gifar |access-date=6 March 2023 |archive-date=6 March 2023 |archive-url=https://web.archive.org/web/20230306093631/https://www.riosec.com/articles/how-to-create-a-gifar |url-status=live }}</ref> This technique can be used to exploit security vulnerabilities, for example through uploading a GIFAR to a website that allows image uploading (as it is a valid GIF file), and then causing the Java portion of the GIFAR to be executed as though it were part of the website's intended code, being delivered to the browser from the [[Same-origin policy|same origin]].<ref>{{cite web |last1=Eckel |first1=Benjamin |title=The GIFAR Image Vulnerability |url=http://hackaday.com/2008/08/04/the-gifar-image-vulnerability |website=Hackaday |date=5 August 2008 |access-date=6 March 2023 |archive-date=6 March 2023 |archive-url=https://web.archive.org/web/20230306091403/https://hackaday.com/2008/08/04/the-gifar-image-vulnerability/ |url-status=live }}</ref> Java was patched in JRE 6 Update 11, with a CVE published in December 2008.<ref name="CVE-2008-5343">{{cite web |title=CVE-2008-5343 |url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343 |website=cve.mitre.org |access-date=20 April 2021 |date=2008-12-04 |archive-date=20 April 2021 |archive-url=https://web.archive.org/web/20210420204722/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343 |url-status=live }}</ref><ref>{{cite web | title=A photo that can steal your online credentials| url=http://www.infoworld.com/d/security-central/photo-can-steal-your-online-credentials-306| first=Robert| last=McMillan| date=August 1, 2008| publisher=Infoworld.com| archive-url= https://web.archive.org/web/20200918084425/https://www.infoworld.com/article/2653025/a-photo-that-can-steal-your-online-credentials.html| archive-date=2020-09-18}}</ref> GIFARs are possible because GIF images store their header in the beginning of the file, and JAR files (as with any ZIP archive-based format) store their data at the end.<ref>{{cite web |last1=Rios |first1=Billy |title=Billy (BK) Rios Β» SUN Fixes GIFARs |url=http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/ |access-date=20 April 2021 |archive-url=https://web.archive.org/web/20160314083259/http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/ |archive-date=14 March 2016 |date=2008-12-17}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)