You might be wondering what exactly is magic byte and what is so magical about it. Don’t worry if you are a programmer you might already know it but as a different name file signature. If you are still wondering what is file signature, read on.
Magic bytes aka file signature
Magic byte is nothing but the first few bytes of a file which is used to recognize a file. It is not visible if you open the file. But can be seen using some special tools. All the Linux variants have a tool called file which tells you what kind of a file is it. As shown below, this is a .jpg file.
Check the file in a hex viewer xxd. You will see the below output. Here FF D8 FF E0 00 10 4A 46 49 46 00 01 is the magic bytes. Which means any jpg file will start with these bytes. The file command above uses these bytes to recognize that this file is a jpg.
Lets check another file .zip. So the .zip file will always start with PK or magic bytes 50 4B 03 04. For a reference of different magic bytes for files refer to this wiki page. https://en.wikipedia.org/wiki/List_of_file_signatures
Lets try to create a png file with magic bytes. So all we need to do is create a file that starts with 0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A. As we can see even though our file ends with .txt, the file type is PNG.
Similarly we create GIF file. We don’t even have to create the file with magic bytes. Create a file that starts with GIF87a will always be a GIF file. GIF87a is the signature of the file.
Also refer to the link for some detailed explanation of what file signatures are. https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/#:~:text=This%20is%20what's%20often%20called,is%20of%20the%20proper%20format.
Now we know what a magic byte is. Lets explore how a program can use it and how we can abuse.
Exploit the magic bytes
In order to explain how to exploit we will use hack the box networked. Its a retired box with file upload bypass vulnerability.
- First we start with nmap — nmap -sC -sV -oA default 10.10.10.146. Since we have web server hosted. Lets try to enumerate all the directory listing.
2. Do a directory listing for the web server using dirbuster. There are some interesting files like upload.php and photos.php.
3. Upload.php is a simple php page to upload an image file and photos.php is a page to view the uploaded files.
If we try to upload any a php file we will get an error. Create a test php file.
4. Lets get the request to burp suite and try to manipulate the file. We first try to upload test.php and get the same error as in browser.
5. Lets try to change the file name extension and try to upload the file. It still fails. So we can conclude that it is not checking the file name extension. The same happens if we change the content-Type to jpg and file name as it is.
6. Lets try to change the file signature and file name to gif. The file is uploaded. This means the application is checking the magic bytes and file name extension to decide which file to upload.
7. Now we try to upload a php backdoor. Since the file name ended in .gif file extension the upload was successful and we have remote code execution.
8. Get a reverse shell.
If we examine the source code for upload.php we find a function check_file_type in lib.php. This is where the file signature is checked. Which inturn uses the php function mime_content_type.
There is nothing wrong with the php function it self. It all about how it is being used. There is no sensitization and so we have a vulnerability here.
