Metadata in Common Document Types - Security Weekly I Learned • Processing 560,000 images is a...

Metadata in Common Document Types

!e silent killer

Wednesday, March 11, 2009

Where This All Started (for me)

• Inspiration: Myspace private picture leak

• Automation grabbed 560,000 images marked as private from 44,000 profiles

• That’s 17GB of pictures!

• I figured there was a bunch I could learn from the metadata... (gps data on those sexy pics?)


What I Learned

• Processing 560,000 images is a nightmare

• Those “sexy” images often weren’t so sexy

• Myspace truly is the “Wretched hive of Scum and Villainy”

• Images uploaded to Myspace are converted and sanitized of metadata!


So what is this metadata stuff?

• Found in all sorts of documents!

• Additional data for searches, filing, routing info, and even items for file processing

• Typically not revealed to the user

• Can contain very interesting data!



Word!


Word!


Word!


Word!$ strings Test_Metadata_Document.docThis is a test.Test Metadata DocumentWhat shows up in word metadata?Larry Pescemedtadata pauldotcom goolag metagoofil maltegoThis is a test of the emergency metadata system! Please return your tray tables and seat backs to thier full and upright position.Larry PesceMicrosoft Word 12.0.1Potential exploitPaulDotCom EnterprisesTest Metadata DocumentTitleTelephone [email protected] Word 97-2004 Document


mailto:[email protected]


Doublespeak?

• Office metadata can also reveal revisions

• Even Microsoft can fail

• The Revisionist


Acrobatics!


Acrobatics!


Acrobatics!

$ strings Test Metadata.pdf<pdf:Producer>Acrobat Distiller 7.0 (Windows)</pdf:Producer><pdf:Keywords>metadata goolag acrobat metagoofil maltego<photoshop:CaptionWriter>Larry Pesce</photoshop:CaptionWriter><xap:CreatorTool>PScript5.dll Version 5.2.2</xap:CreatorTool><xap:ModifyDate>2008-04-18T19:35:38-04:00</xap:ModifyDate> <xap:CreateDate>2008-04-18T19:33:01-04:00</xap:CreateDate><xap:MetadataDate>2008-04-18T19:35:38-04:00</xap:MetadataDate><rdf:li xml:lang="x-default">Test Metadata Document.doc</rdf:li> <rdf:li xml:lang="x-default">What info shows up in PDF metadata?</rdf:li>/Author(Larry)/Creator(PScript5.dll Version 5.2.2)


A pretty picture

• President Obama’s official photo

• First taken with a digital camera

• First to contain metadata!

• Let’s analyze...


• So, what can we learn? Strings doesn’t cut it!

• What are the possible risks and potential for something interesting?

• So, who would you attack? The BlackBerry or the photographer?

exiftool -a -u -g1 -b obama-officialportrait.jpg

---- ExifTool ----ExifTool Version Number : 7.23---- File ----File Name : obama-officialportrait.jpgDirectory : .File Size : 785 kBFile Modification Date/Time : 2009:01:15 10:12:02File Type : JPEGMIME Type : image/jpegExif Byte Order : Big-endian (Motorola, MM)---- IFD0 ----Image Description : Official portrait of President-elect Barack Obama on Jan. 13, 2009...(Photo by Pete Souza)..Make : CanonCamera Model Name : Canon EOS 5D Mark IISoftware : Adobe Photoshop CS3 MacintoshModify Date : 2009:01:13 19:35:18Artist : Pete SouzaCopyright : ¬© 2008 Pete Souza---- ExifIFD ----Date/Time Original : 2009:01:13 17:38:39Create Date : 2009:01:13 17:38:39---- Photoshop ----Photoshop 0x0425 : Ó\¯ıG›%œrè.ë+finºXML Data: (Binary data 6160 bytes, use -b option to extract)---- ICC-header ----Profile CMM Type : ADBEProfile Version : 2.1.0Profile Class : Display Device ProfileColor Space Data : RGBProfile Connection Space : XYZProfile Date Time : 1999:06:03 00:00:00Profile File Signature : acspPrimary Platform : Apple Computer Inc.CMM Flags : Not Embedded, Independent


Even newer... exiftool -a -u -g1 -b First_Lady_Michelle_Obama_Official_Portrait_2009-red.jpg

---- ExifTool ----ExifTool Version Number : 7.23---- File ----File Name : First_Lady_Michelle_Obama_Official_Portrait_2009-red.jpgFile Size : 57 kBFile Modification Date/Time : 2009:02:28 20:02:03Exif Byte Order : Big-endian (Motorola, MM)---- IFD0 ----Camera Model Name : Canon EOS-1D Mark IISoftware : Adobe Photoshop CS3 WindowsModify Date : 2009:02:27 10:39:12---- ExifIFD ----Date/Time Original : 2009:02:18 12:08:02Create Date : 2009:02:18 12:08:02---- XMP-xmp ----Metadata Date : 2009:02:27 10:39:12-05:00Creator Tool : Adobe Photoshop CS3 Windows---- XMP-crs ----Raw File Name : P021809JB-0046.dng---- XMP-xmpMM ----

History When : 2009:02:24 21:22:09-05:00, 2009:02:24 21:22:09-05:00, 2009:02:24 21:22:54-05:00, 2009:02:24 21:32:51-05:00, 2009:02:27 09:49:50-05:00, 2009:02:27 09:49:50-05:00, 2009:02:27 09:53:47-05:00History Software Agent : Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh---- ICC-header ----Profile CMM Type : ADBEProfile Version : 2.1.0Profile Class : Display Device ProfilePrimary Platform : Apple Computer Inc.


Too revealing?• How about the

embedded Preview/Thumbnail?

• Cat Schwartz of Tech TV found this out the hard way...

• These photos appeared on her website

• It was noted that they were cropped oddly...


Too revealing?

• Download and dump the EXIF embedded Thumbnails

• Photoshop 7.0 bug that didn’t update thumbnails!

exiftool -b -ThumbnailImage original.jpg > output.jpg

exiftool -a -u -g1 original.jpg---- IFD0 ----Software : Adobe Photoshop 7.0


Picture this!


Picture this!$ strings 0x80_cracker_with_laptop.jpgSLUG: mag/hacker DATE: 12/20/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OKPICTURED: Canon EOS 20DAdobe Photoshop CS2 Macintosh2006:02:16 15:43:01


Speaking of location

• How about GPS info?

• Geotagging photos anyone?

• This is only getting easier!

• Phones, Cameras, Software, Web

• Maybe employee personal information, but...



Adding GPS up

• We now know:

• Person

• Possible platform (windows, OSX, laptop?)

• Location: Home, work and coffee shop...


Determined attacker

• Exploit physical security

• Know what to steal!


A few scary examples

• Eliot

• Work, home, homestead

• Tina

• Home, ..

• This is how we can begin to build an attack profile!


Eliot, Work


Eliot, Home


Eliot, Homestead


Tina, Home


Tina...


Taking it too far


Trust?

• We can even make some assumptions

• Other collaborators

• Co-workers

• TRUSTED acquaintances!


How do we know?• PGP Keysigning information!

• Let’s find out who Roger Dingledine is...


Mail headers

• Public OOO replies

• Mailing list submissions

• Newsgroups


Direct e-mail exampleDelivered-To: [email protected]: by 10.65.40.11 with SMTP id s11cs103281qbj; Fri, 5 Sep 2008 06:46:28 -0700 (PDT)Return-Path: <[email protected]>Received: from johnnymo.paul.com ([74.14.86.36]) by mx.google.com with ESMTPS id p27sm274252ele.0.2008.09.05.06.46.15 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 05 Sep 2008 06:46:20 -0700 (PDT)Message-ID: <[email protected]>Date: Fri, 05 Sep 2008 09:46:09 -0400From: Paul Asadoorian <[email protected]>User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707)










Mailing list exampleReceived: from lists.securityfocus.com (lists.securityfocus.com[205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQPid 6C53A237376; Sun, 14 Sep 2008 16:35:39 -0600 (MDT)Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C916BA.781F8E05"user-agent: Thunderbird 2.0.0.16 (Macintosh/20080707)list-post: <mailto:[email protected]>list-id: <pen-test.list-id.securityfocus.com>delivered-to: moderator for [email protected]: contact [email protected]; run by ezmlmContent-class: urn:content-classes:messageSubject: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]Date: Sun, 14 Sep 2008 16:19:23 -0400Message-ID: <[email protected]>In-Reply-To: <00db01c9169c$53315120$f993f360$@com>Thread-Topic: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]Thread-Index: AckWungd3zHVyhdvRauRbYpXN6N07Q==From: "Tom Anderson" <[email protected]>Sender: <[email protected]>To: "Jack Sparrow" <[email protected]>, [email protected]


















OOOSubject: [Email Tips] The Keymaker is out of the office.Auto-Submitted: auto-generatedFrom: The Keymaker <[email protected]>To: [email protected]: <OF7E98F610.C0EF2284-ON852574E2.002DB5F6-852574E2.002DB5F6@matrix.com>Date: Tue, 14 Oct 2008 04:19:17 -0400X-MIMETrack: Serialize by Router on D01ML076/01/M/IBM(Release 8.0.1|February 07, 2008) at 10/14/2008 04:19:18






mailto:OF7E98F610.C0EF2284-ON852574E2.002DB5F6-852574E2.002DB5F6@matrix.com






Newsgroups


Too cool for tool

• Sure, there’s strings...

• manual download

• manual search

• manual extract

• Lets talk a little automation


Fill ‘er up.

• Metagoofil - Edge Security

• Automated Google query

• Common document types

• Automated extract and reporting

• IDs, Paths, even MAC addresses!

• Downloads direct from site

• OSX does not support office document


Analyzing Word

• Metagoofil

• Exiftool

• Larry’s Scripting for Custom User lists


MetaGooFil 1.4a

usage: metagoofil options

-d: domain to search

-f: filetype to download (all,pdf,doc,xls,ppt,odp,ods, etc)

-l: limit of results to work with (default 100)

-o: output file, html format.

-t: target directory to download files.

Example: metagoofil.py -d microsoft.com -l 20 -f all -o micro.html -t micro-files

Use me, abuse me





Metagoofil Demo


Exiftool

• It turns out that Exiftool can analyze Word Pre-2007

• Metadata storage based on FlashPix standard

• Not compatible with Office 2007

exiftool -r -h -a -u -g1 * >output.html


Office 2007

• Changed metadata storage format to XML

• XML parsing with shell scripting is like herding cats

• New document is just a ZIP archive

• The best goodies for are typically located in docProps/core.xml

• Wrote my first Perl script to extract author metadata

• Yes, the zip can be completed in Perl as well...

unzip -e -j TestingMetadata2007.docx docProps/core.xml | perl ./2007XMLextract.pl core.xml | tr '[:space:]' '\n' | sort | uniq > 2007users.txt

http://www.pauldotcom.com/2007XMLextract.pl




Custom user lists

• So, lets take some word docs and pull out the user names and first and last names!

• Tedious process? Script it!

• What about Web?

• local disk?

wget -r -l1 --no-parent -A.doc http://www.somewebsite.com | exiftool -r -a -u -Author -LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" |

tr '[:space:]' '\n' | sort | uniq >cleanusers.txt

exiftool -r -a -u -Author -LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" | tr '[:space:]' '\n' | sort | uniq >cleanusers.txt


http://www.pauldotcom.com


PDFs• I didn’t think a good command

line tool existed until I found pdfk

• I haven’t had much time to play

• Not only good for metadata, but good for other PDF manipulation too!

• Not nearly as revealing as strings, but it is a start...

pdftk metadata.pdf dump_data


My pwn SANS Paper

InfoKey: CreatorInfoValue: SANS Institute InfoSec Reading RoomInfoKey: TitleInfoValue: Document Metadata, the Silent Killer...InfoKey: ProducerInfoValue: PDFlib+PDI 7.0.2 (PHP5/Linux)InfoKey: CreationDateInfoValue: D:20090202201331ZPdfID0: 6e469b8e315bc7573edf7290fd45825dPdfID1: 6e469b8e315bc7573edf7290fd45825dNumberOfPages: 69


JPEGs?

• Wget and EXIFtool for the win!

• A little scripting can repeat the test and e-mail us results in HTML

wget -r -l1 --no-parent -A.jpg http://www.pauldotcom.com | exiftool -r -h -a -u -g1 * >output.html




JPEG GPS Data

• Google maps is your friend!

• Marker placement for GPS data

• Mind your measurements, you may need to convert

• Firefox Greasemonkey Script for Flickr, Flickramio

http://userscripts.org/scripts/show/27101

http://www.cosports.com/index.php/tool/tools/latlong




http://boulter.com/gps/

http://boulter.com/gps/

A malt beverage?

• Maltego - Paterva

• Information gathering made easy

• You give it a starting point

• Automated!

• Document finding and (limited) metadata extraction

• Great for filling in the “softer” bits


Maltego Demo


Document Discovery


Document Discovery


What do we know?• Determination on an attack vector

• Word, and even a possible version with a certain timeframe

• Creates PDFs, timeframes and output DLL

• Additional client applications: E-mail client, image processing, etc

• E-mail address

• Login IDs

• Website

• Some previous contacts to spoof

• I’m sure we can find some exploits for what we know!


This is how you get...


Also similar to...


How can this be used?• Determine internal architecture through Server names and

paths

• Find opportunities for B&E, hardware “acquisition”

• Usernames to brute force other services

• Internal patching practices for both OS and/or Desktop applications

• Deliver a specific, targeted attack based on username and/or e-mail address and utilize a recent vulnerability in software likely still in use on client systems with a high degree of confidence, leveraging trust and social engineering


That’s called...



Clean up your act!

• Limit your exposure!

• If it is already on the internet, it is probably too late

• At least limit everything new!


Consider this...• Remember this metadata stuff is still useful!

• Maintain documents in internal repository with Metadata intact

• Maintain secondary repository for external communications

• Slicks, marketing information, public postings

• Educate and develop procedure on non-population?

• Run removal tools across your organization

• Yes, it is a lot of work...


Cleanup Tool Selection

• Tons of tools exist, some free, some minimal cost

• This list is far from all inclusive

• Use of free or existing tools

• Use of likely prior investments

• Looking to include some command line automation at a later date


Microshafted!• For prior to Office 2007 Microsoft Remove

Hidden data add-on

• Tools | Options:

• Office 2007 Document Inspector is better!

C:\Offrhd.exe C:\documents /R


Microshafted! (2)

• Office 2007 is a different animal

• Microsoft Office Button | Prepare | Inspect Document

• Select options

• Inspect | Remove All


PDF!• Acrobat Standard/Pro

• Good for new, and existing documents

• File | Document Properties

• Select the Description tag | Additional Metadata

• PDF Properties parent item | Delete


JPEG cleanup

• Exiftool!

• Delete all for a single file

• Delete for multiple files

exiftool -All= <jpeg filename>

exiftool -All= *.jpg


A note on cleanup...

• Some information will still be left behind!

• Information usually related to output tool and format

• When opening, the client tool needs to know how to process

• Version compatibility, color spaces, format...

• This info can still reveal information useful for an attack


Litany of Metadata

I must not fear.Metadata is the network-killer.Metadata is the little-death that brings total obliteration.I will face my Metadata.I will not permit it to pass over networks by me.And before it has gone past I will turn the inner eye to see its server path.Where the Metadata has gone there will be nothing.Only emptiness will remain.


EOF

[email protected]


http://twitter.com/haxorthematrix








Date post:	27-Apr-2018
Category:	Documents
Upload:	doanbao
View:	222 times
Download:	0 times

Metadata in Common Document Types - Security Weekly I Learned • Processing 560,000 images is a...

Documents