Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: hacking by JPEG?

  1. #1

    Question hacking by JPEG?

    i saw this article: http://story.news.yahoo.com/news?tmp...ft_security_dc

    hackers now use jpeg?

    When you have eliminated the impossible, whatever remains, however improbable, must be the truth. - Sherlock Holmes

    i am NOT a hacker :Ž

  2. #2
    It's this response from MS that I'm not clear on:

    "The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image."
    Does that mean you have to do something more than just view the picture? If so, it wouldn't be that big a deal, just another naive user issue, no different than them opening zip files they shouldn't open.

  3. #3
    good point. yes. but this is different. eversince the web came into birth, hackers havent been able to do much with graphic files (as far as i know). and many users nowadays know not to press "yes" whenever security-related popups comes into view.

    let's see how this issue goes.
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth. - Sherlock Holmes

    i am NOT a hacker :Ž

  4. #4
    Senior Member
    Join Date
    Feb 2004
    Near Manchester (England)

    It's all a bit vague, if you ask me...

    I suspect there's a bit of media hype / scaremongering in there too, given that the vulnerability is related to jpeg's!

    It wouldn't be too hard to get a user to open a specially crafted jpeg now would it? Something like Pamela.jpg is very inticing to a large percentage of the male population. Similarly brad.jpg for the ladies!

    I wonder how long it will be till the first exploit of this vulnerability?

    Any one else have any more information, or can shed more light on this?
    Tomorrow is another day for yesterdays work!

  5. #5
    Senior Member
    Join Date
    Aug 2001
    Wasn't embedding text within a jpeg used in some situations? Would embedding text/code in a gif animation be possible as long as the gif image is allowed to run?
    I\'d rather die on my feet than live my life on my knees.

    (Emiliano Zapata, a Mexican revolutionary in the early 1900s)

  6. #6
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest
    Good Evening,

    You folks are talking about Steganography, commonly called “Stego”. It is a boon for two folks that want to have private conversations and it can even be encrypted. The information is placed in the least significant bit of a JPEG and other types. Kinda like spy stuff. It can be a nightmare for Corporations wherein their secrets can go out the door.

    The manner in which the information, stolen secrets, including:. Exe (read trojans, viruses and the like), .doc files, etc., is hidden, is usually completed one of three ways. The first is Substitution, where unimportant info in the original file is replaced. The second is Injection, where info is place in areas that are usually ignored like the end of file marks. And the last is Generation, where a file or picture is made using your covert stuff.

    And the rest is in google

    Connection refused, try again later.

  7. #7
    Join Date
    Apr 2004
    Yes, infact, the US cyber division is working on that very thing. Terrorists are putting secret information in graphics. They usually don't hide them in arabic sites though, they found out that porn sites are very popular to hide them in. They do this because the US least expects that from the arab nations, which is highly against pornographic materials.
    I am the uber duck!!1
    Proxy Tools

  8. #8
    Senior Member
    Join Date
    Jun 2003
    from the horses mouth http://www.microsoft.com/technet/sec.../ms04-028.mspx

    edit more detail ---
    (note reported date, ooooouch)

    Advisory: September 14, 2004
    Reported: October 7, 2003

    Systems affected based on testing:
    Windows XP SP0,SP1,SP1a (Home & Pro)

    Systems potentially affected based on Microsoft's DLL Help Database
    (there may be others):

    gdiplus.dll 5.2.3790.0
    Windows Server 2003 Data Center
    Windows Server 2003 Enterprise
    Windows Server 2003 Standard
    Windows Server 2003 Web Edition

    gdiplus.dll 5.1.3100.0
    Microsoft Visual Studio .NET (2003) Enterprise Architect

    gdiplus.dll 5.1.3097.0
    Microsoft Visual Studio .NET (2002) Enterprise Architect
    Microsoft Visual Studio .NET (2002) Enterprise Developer
    Microsoft Visual Studio .NET (2002) Professional
    Microsoft Visual Studio .NET (2003) Enterprise Architect
    Visual Basic .NET Standard 2002
    Visual C# .NET Standard 2002
    Visual C++ .NET Standard 2002
    Windows XP Home 2002
    Windows XP Professional 2002

    gdiplus.dll 5.1.3079.3
    Microsoft Visual Studio .NET (2002) Enterprise Architect
    Visio 2002 Professional
    Visio 2002 Standard


    The JPEG parsing engine included in GDIPlus.dll contains an
    exploitable buffer overflow. When a specially crafted JPEG image is
    accessed through the Windows XP shell, a buffer overflow occurs
    potentially allowing an attacker to run arbitrary code on the
    affected system. Due to the pervasiveness of the affected dll there
    may be other vulnerable attack vectors.


    JPEG Comment sections (COM) allow for the embedding of comment data
    into a JPEG image. COM sections are marked beginning with 0xFFFE
    followed by a 16 bit unsigned integer in network byte order giving
    the total comment length + the 2 bytes for the length field; a
    single JPEG COM section could therefore contain 65533 bytes of
    invisible data (invisible in the sense that it's not rendered as
    part of the image). Because the JPEG COM field length variable is 2
    bytes wide, and itself is included in the length value, the minimum
    value for this field is 2, this implies an empty comment. If the
    comment length value is set to 1 or 0, a buffer overflow occurs
    overwriting heap management structures.

    The problem is GDIPlus normalizes the COM length prior to checking
    it's value; a starting length of 0 becomes -2 after normalization
    (0xFFFE unsigned), this value is converted to the 32 bit value
    0xFFFFFFFE and is eventually passed on to memcpy which attempts to
    copy ~4G bytes into heap memory.

    eEye Digital Security analyzed the bug and found that heap
    management structures are left in an inconsistent state with
    execution eventually reaching heap unlink instructions within
    RTLFreeHeap with EAX pointing to a pointer to data we control and we
    have direct control of EDX.

    Vendor Status

    Patch available MS04-028 (833987)


    Detection could be accomplished by examining the JPEG image for the
    following byte sequence:

    0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01

    Nick DeBaggis - Discovery, analysis, and advisory.

    Special thanks to eEye Digital Security www.eeye.com - Detailed
    vulnerability analysis, initial and ongoing vendor contact.
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    I can't seem to find the thread at the moment... but I remember not too long ago someone was saying that it was possible to infect an image with a virus and in turn infect the user who opens the "image". The poster even attached a proof of concept...

    I've tried searching for the thread... but I can't find it now and I don't remember who made these claims... but I know they backed them up...

    Anyone else remember that?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10

    I dont know if this is what you are remembering, but there was an exploit for the linux image manipulation program XV. Heres a link in bugtraq with source:


    Maybe it will look familiar?

    As for this new buffer overflow, I havent seen any exploit code anywhere yet and M$ says they havent either, but I wouldnt trust them. AngelicKnight, you would just have to view the picture to get the virus/code to execute on your computer from what I understand, so looking at pop-ups, email, banners, avatars, etc could get you infected.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts