-
September 14th, 2004, 11:17 PM
#1
Member
hacking by JPEG?
When you have eliminated the impossible, whatever remains, however improbable, must be the truth. - Sherlock Holmes
i am NOT a hacker :Þ
-
September 14th, 2004, 11:21 PM
#2
It's this response from MS that I'm not clear on:
"The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image."
Does that mean you have to do something more than just view the picture? If so, it wouldn't be that big a deal, just another naive user issue, no different than them opening zip files they shouldn't open.
-
September 14th, 2004, 11:31 PM
#3
Member
good point. yes. but this is different. eversince the web came into birth, hackers havent been able to do much with graphic files (as far as i know). and many users nowadays know not to press "yes" whenever security-related popups comes into view.
let's see how this issue goes.
When you have eliminated the impossible, whatever remains, however improbable, must be the truth. - Sherlock Holmes
i am NOT a hacker :Þ
-
September 14th, 2004, 11:40 PM
#4
It's all a bit vague, if you ask me...
I suspect there's a bit of media hype / scaremongering in there too, given that the vulnerability is related to jpeg's!
It wouldn't be too hard to get a user to open a specially crafted jpeg now would it? Something like Pamela.jpg is very inticing to a large percentage of the male population. Similarly brad.jpg for the ladies!
I wonder how long it will be till the first exploit of this vulnerability?
Any one else have any more information, or can shed more light on this?
Tomorrow is another day for yesterdays work!
-
September 14th, 2004, 11:59 PM
#5
Wasn't embedding text within a jpeg used in some situations? Would embedding text/code in a gif animation be possible as long as the gif image is allowed to run?
I\'d rather die on my feet than live my life on my knees.
(Emiliano Zapata, a Mexican revolutionary in the early 1900s)
-
September 15th, 2004, 12:27 AM
#6
Good Evening,
You folks are talking about Steganography, commonly called “Stego”. It is a boon for two folks that want to have private conversations and it can even be encrypted. The information is placed in the least significant bit of a JPEG and other types. Kinda like spy stuff. It can be a nightmare for Corporations wherein their secrets can go out the door.
The manner in which the information, stolen secrets, including:. Exe (read trojans, viruses and the like), .doc files, etc., is hidden, is usually completed one of three ways. The first is Substitution, where unimportant info in the original file is replaced. The second is Injection, where info is place in areas that are usually ignored like the end of file marks. And the last is Generation, where a file or picture is made using your covert stuff.
And the rest is in google
cheers
Connection refused, try again later.
-
September 15th, 2004, 01:38 AM
#7
Yes, infact, the US cyber division is working on that very thing. Terrorists are putting secret information in graphics. They usually don't hide them in arabic sites though, they found out that porn sites are very popular to hide them in. They do this because the US least expects that from the arab nations, which is highly against pornographic materials.
-
September 15th, 2004, 01:45 AM
#8
from the horses mouth http://www.microsoft.com/technet/sec.../ms04-028.mspx
edit more detail ---
(note reported date, ooooouch)
Advisory: September 14, 2004
Reported: October 7, 2003
Systems affected based on testing:
Windows XP SP0,SP1,SP1a (Home & Pro)
Systems potentially affected based on Microsoft's DLL Help Database
(there may be others):
gdiplus.dll 5.2.3790.0
Windows Server 2003 Data Center
Windows Server 2003 Enterprise
Windows Server 2003 Standard
Windows Server 2003 Web Edition
gdiplus.dll 5.1.3100.0
Microsoft Visual Studio .NET (2003) Enterprise Architect
gdiplus.dll 5.1.3097.0
Microsoft Visual Studio .NET (2002) Enterprise Architect
Microsoft Visual Studio .NET (2002) Enterprise Developer
Microsoft Visual Studio .NET (2002) Professional
Microsoft Visual Studio .NET (2003) Enterprise Architect
Visual Basic .NET Standard 2002
Visual C# .NET Standard 2002
Visual C++ .NET Standard 2002
Windows XP Home 2002
Windows XP Professional 2002
gdiplus.dll 5.1.3079.3
Microsoft Visual Studio .NET (2002) Enterprise Architect
Visio 2002 Professional
Visio 2002 Standard
Description
------------------------
The JPEG parsing engine included in GDIPlus.dll contains an
exploitable buffer overflow. When a specially crafted JPEG image is
accessed through the Windows XP shell, a buffer overflow occurs
potentially allowing an attacker to run arbitrary code on the
affected system. Due to the pervasiveness of the affected dll there
may be other vulnerable attack vectors.
Technical
------------------------
JPEG Comment sections (COM) allow for the embedding of comment data
into a JPEG image. COM sections are marked beginning with 0xFFFE
followed by a 16 bit unsigned integer in network byte order giving
the total comment length + the 2 bytes for the length field; a
single JPEG COM section could therefore contain 65533 bytes of
invisible data (invisible in the sense that it's not rendered as
part of the image). Because the JPEG COM field length variable is 2
bytes wide, and itself is included in the length value, the minimum
value for this field is 2, this implies an empty comment. If the
comment length value is set to 1 or 0, a buffer overflow occurs
overwriting heap management structures.
The problem is GDIPlus normalizes the COM length prior to checking
it's value; a starting length of 0 becomes -2 after normalization
(0xFFFE unsigned), this value is converted to the 32 bit value
0xFFFFFFFE and is eventually passed on to memcpy which attempts to
copy ~4G bytes into heap memory.
eEye Digital Security analyzed the bug and found that heap
management structures are left in an inconsistent state with
execution eventually reaching heap unlink instructions within
RTLFreeHeap with EAX pointing to a pointer to data we control and we
have direct control of EDX.
Vendor Status
------------------------
Patch available MS04-028 (833987)
http://www.microsoft.com/technet/sec.../ms04-028.mspx
Detection
------------------------
Detection could be accomplished by examining the JPEG image for the
following byte sequence:
0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01
Credits
------------------------
Nick DeBaggis - Discovery, analysis, and advisory.
Special thanks to eEye Digital Security www.eeye.com - Detailed
vulnerability analysis, initial and ongoing vendor contact.
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
-
September 15th, 2004, 02:17 AM
#9
I can't seem to find the thread at the moment... but I remember not too long ago someone was saying that it was possible to infect an image with a virus and in turn infect the user who opens the "image". The poster even attached a proof of concept...
I've tried searching for the thread... but I can't find it now and I don't remember who made these claims... but I know they backed them up...
Anyone else remember that?
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
September 15th, 2004, 02:47 AM
#10
Member
phishphreek80:
I dont know if this is what you are remembering, but there was an exploit for the linux image manipulation program XV. Heres a link in bugtraq with source:
http://msgs.securepoint.com/cgi-bin/...q0408/186.html
Maybe it will look familiar?
As for this new buffer overflow, I havent seen any exploit code anywhere yet and M$ says they havent either, but I wouldnt trust them. AngelicKnight, you would just have to view the picture to get the virus/code to execute on your computer from what I understand, so looking at pop-ups, email, banners, avatars, etc could get you infected.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|