Please reread the comments above your own. As for your concerns: GIFAR does nothing to allow access to local files. The only way the JVM is given access to the underlying operating system is through signed applets (or a vulnerability in the JVM itself) – and if you have signed applets or a JVM exploit you don’t need GIFARs to attack in the first place.

So you might understand GIFAR attack perfectly (although your phrasing suggests otherwise) – the GIFAR attack just breaks the same origin policies on websites, it won’t allow you to modify files on Linux or any other OS.

If you need more reading, there is plenty to be read on Google.

What University/Company are you doing research for? Right now you are giving me every indication that you do NOT want to implement the attack for educational purposes.

If you have any more questions or would like to answer mine, please email me in private. My email address is normlegaia [AT] gmail {dot} com.

If possible please give us some ideas regarding type of other attacks using gifar attack.. thanks a lot.
Please note: we r using only for academic purpose in closed environment.

Let’s say there is site X which allows an image upload. It checks to see that uploads are valid images by following image format specifications. Attacker Mike combines a GIF/JPG with a JAR file such that the file is both a valid image file and a valid JAR file. The JAR file contains an applet. He uploads this hybrid file to site X.

Later, on Mike’s own site he adds an applet tag to a page. He points codebase at the image file he uploaded to site X. The file he uploaded _is a valid image_, so it got through the site’s filters. But the file also _is a valid JAR file_.

Victim Y stumbles (or is social engineered) onto Mike’s site. Victim Y is logged into site X. His browser downloads the file that was uploaded to site X and says “yep, this is a valid jar file”. It starts the applet. It also says, “because this applet was downloaded from site X, site X must be hosting it on purpose. That means, I, the Java VM, will allow the applet to connect to site X. In addition I’ll give the applet access to all of victim Y’s cookies”.

Cookies are often used to store session information as a way to validate logged in users. Anyone with a copy of a cookie (until it expires) is usually able to act as if they had logged in to get that cookie.

Using LiveConnect (a way to get javascript and java applets to talk) Mike can give himself the cookies (and therefore access to victim Y’s account). Alternatively, Mike can just program the applet to do things for him – like delete an account or replace the user picture with goatse. Let’s pretent site X is a banking site. The applet could be programmed to transfer money.

The GIFAR or hybrid file is easy to make. Any valid library that follows JAR (really ZIP) file specifications waits until it sees a ZIP header before it reads data. You can just concatenate two files. It isn’t just ZIPs and some image formats that are really relaxed with their specifications. As PDP pointed out on his site (gnucitizen.org) many Microsoft Word formats are just .zip files you could add extra files inside.

For the typical user though, you can usually get them to fall for it, and do the human intervention part for the applet warning. After that you can do file and registry stuff, but no hooking etc..

Keep in mind that any compressed image format (unless it is lossless) will lose quality each time your open and save it – no matter what the software. JPEGs are notorious for that. It’s because each time you open the image you get a near duplicate of the last image – so good our eyes can’t tell the difference. There are small differences in many of the pixels. Resaving the jpeg does calculations based on the “false but close” pixel data. Next time you open it the data is degraded just a little bit more.

Make sure your site doesn’t promise a lossless transfer. I wouldn’t do this on a photo website (like flickr) for example.

Head over to my other posts under the other GIFAR Hackaday post for more information or look them up online.

This doesn’t lend itself to rootkits any more than just an java applet.