iplosion security

Last week I have been googling around for comments and reactions from my report Malware Detection Rate in Alternative Word Formats which was posted in the ISC diary on August 23rd, 2006. To sum it up there has not been a lot of reactions in magazines or the like but it got at least the attention of the malware research community.
There is this very interesting follow-up article from Christoph Alme in the October 2006 edition of the Virus Bulletin. The two page article Scanning Embedded Objects in Word XML Files which elaborates how AV products can identify embedded objects in Word XML files. He shows that XML documents can be manipulated slightly, within the flexibility offered in the XML standard, and still are considered valid Word documents. Using the same VirusTotal-based testing method as I did, he demonstrates that all existing AV products can be bypassed. As you might remember my initial paper there were only three AV products capable of finding embedded malware in my run-of-the-mill XML documents.

So what does this tell us: The most likely reason is that these three virus scanners do not really understand XML document format. They most likely have no XML parser integrated or the parser only implements the XML standard partially. This once again melts down to the conclusion that the decoding capability is the name of the game.

Now let us speculate that AV products will integrate a complete off-the-shelf XML parser. Will this help? Well it will help to properly decode XML documents but it will most likely introduce new vulnerabilities in AV products so far unheard of. (Actually the motivation I am writing this article is to prevent AV vendors to release such broken products). Let us take XML external DTD references as an example. If the XML parsers are used in default configuration or are not configured properly, scanning an XML with an external reference will result in requests to external sites. That is nice. This would allow an attacker to track malware distribution or download additional exploit files to the scanning system.

With the release of Office 2007 a couple of days ago, which will have the Office Open XML format as standard storage format, the urge for XML enabled AV products will grow. My retesting today shows that the detection rate of Netsky as an embedded object in a Office 2003 Word XML is still at the same level as 3 months ago. I fear that the AV industry is not quite yet ready to protect their customers against XML delivered attacks.

Colin Wong’s Paper XML Port Scanning - Bypassing Restrictive Perimeter Firewalls describes a way of abusing XML parsers in web services and web applications to footprint DMZ and backend services. Actually the attack scheme is not new. It was already described in a Post on October 2002 by Gregory Steuck as XML eXternal Entity Attack (XXE).

So here are my two cents on this topic: Actually the attack scheme is more potent than they imagine. Depending on the application it is possible to include server-side files into XML documents. If e.g. the content of the processed XML document is stored in database and it is possible to read the database through the same or other web services or web applications then the file content is disclosed.

(more…)

In addition to virus scanners at the employee’s desktop machine companies are nowadays deploying AV products at their perimeter. These scanners are installed in mail gateways and web proxies to prevent malware reaching the desktop. One big question is how good are they at detection when malware is placed into archives or are embedded into other file formats, like alternative Word document formats?

The desktop, since it has all client applications installed, is the ultimate decoder for all kinds of file formats and virus scanners can detect malware right before their execution. Compared to the desktop the gateway has to rely completely on its own decoding functionality. This paper demonstrates the decoding capabilities of AV products in case of alternative file formats when used in a gateway scenario. In addition the paper clarifies on issues which were criticized in earlier versions of this paper. For details see report.

Web services have been hyping for quite a while and many security professionals still do not know what it is all about. At the Compass Security Event in 2003 I gave a introductury talk on web service security. It covers SOAP, WSDL and UDDI and some high level threat analysis on web service attacks. For details see slides.