Thursday, January 28, 2021



Before starting, let's introduce or refresh a couple of concepts that will come useful in order to fully understand later. 


As Wikipedia reports, metadata is "data that provides information about other data". In other words, it is "data about data" .

As an example, they are usually seen when we right-click on an image, under the 'Details' tab.

This metadata are called EXIF data, which stands for Exchangeable Image File Format. Most digital photo software can display EXIF information, but you usually can't edit it.

The Exif file format is the same as JPEG file format. Exif inserts some of the image/digital camera information data and thumbnail image to JPEG in conformity with JPEG specifications. Indeed, Exif format image files can be seen on Jpeg compliant Internet Browser, Picture viewer/Photo retouch software etc. as a usual JPEG image files.

As the title suggests, the Exit structure fields can be leveraged by an attacker for hiding malicious scripts. 

Consider a simple image like this one :

At first sight there's nothing suspicious, right?

Now, using a tool called exiftool(-k) a light tool downloadable from here, we can take a look at what it's hiding behind, in its metadata. 

Within the Exif data the are two suspicious entries, "copyright" and "document name", that contain respectively : 

"/.*/e" is known as PCTE regex modifier and it will be evaluate the data from $exif['Document Name']

How an attacker can use these scripts? 

Consider this PHP script :

The first line downloads the remote jpg image file with the stashes code in it and then sets the $exif variable with the array values. The variable will have this structure : 

The final setup in this process is to execute the PHP preg_replace function.

Notice that the $exif['Copyright'] variable data uses the "/.*/e" PCRE regex modifier (PREG_REPLACE_EVAL) which will evaluate the data from the $exif['DocumentName'] variable.

Knowing how it works and appears, how we can hunt it? 

There're many ways, tools and techniques that can be used. 
An example is this script, found on Pastebin that looks for the entries with UserComment, checking for the "/e" PCRE regex modifier. 

It the script finds that within the entry, it will output the name of the file to the console to alert us that the file is potentially dangerous.

Can also be used a tool called PHP Malware Finder available on GitHub.

PHP-malware-finder is a script used to detect obfuscated code, as well as files using PHP functions often used in web shells. Detection is performed by crawling the filesystem and testing files againsts a set of YARA rules. 

How not to mention Loki or Thor IOC scanner created by the awesome Nextron Systems, 
Their indicators can be derived from published incident reports, forensic analyses or malware sample collections.

Conclusions :

This is not a new technique but it's important to highlight that because today, for performance reasons, many organizations opt to only scan PHP files and exclude other file types from being scanned, overlooking certain types of file that shouldn't be classified as less important. 

Moreover, even though e ( PREG_REPLACE_EVAL ) was deprecated in PHP 5.5.0 and eventually removed as of PHP 7.0.0, this doesn't mean that the attack is still not prevalent. If the corporate environment is running PHP applications and it's not at the latest version of PHP, then, it's susceptible. 

References :


1 comment:

  1. Lucky Club: Best online casino site - Lucky Club
    Lucky club is one of the oldest online casinos in the world. It is known to be one of the oldest gaming operators, since in 2019 the


Contact us


Email *

Message *

Theme Support