Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: hacking by JPEG?

  1. #11
    Phish-

    That thread was BS. He claimed a jpeg would infect any picture viewer, it was really just a .exe renamed as .jpg or something silly. I think the threads author was Grim_reaper or something similar.

    As for the exploit....

    All it takes is a creative vector to pull it off... Similar to the latest winamp exploit.

    AngelicKnight, you would just have to view the picture to get the virus/code to execute on your computer from what I understand, so looking at pop-ups, email, banners, avatars, etc could get you infected.
    http://www.microsoft.com/technet/sec.../ms04-028.mspx

    Theres a list in that link of exploitable software... It would have to be ran in that enviroment to be exploitable. In the list of software that isn't affected, is IE. So avatars, banners, pop-ups... not vulnerable. Unless the vector involves IE.

  2. #12
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Search for posts by Grim Reaper..

    Yes there is such a "Virus" BUT it is in two parts.. the first is the "Extraction" program the other was the "infected" Jpg.. the infection was imbeded in the image useing Stegnos methods..

    This exploite works on the "Comment" section of the file and how MS products handle the file.. this is different to stegnos.(useing redundent bits).


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #13
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    You use to be able to feed AT modem line commands through an ascii picture... I remember all of the dialup BBS's having a lot of fun with that one...

    This new bug is pretty nasty.. I like how they say it doesn't affect Win2k unless you are running IE6SP2.. Umm.. how could you not be running IE?? hehe.. definitely make sure that IE isn't opening up any graphic files, or any type of files for that matter..

  4. #14
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Well, nobody said the JPEG file had to acturally be an image! The moment MS products try to render the JPEG, they copy 4GB of data onto the heap, with whatever this JPEG had inside of it going there. So simply put, this isn't acturally a JPEG that is an image, it is simply an executable that pretends to be an image so that when someone tries to open the image the code it has is copied straight to where it gets executed, and the image doesn't load because it appears to be corrupt. (Just an executable taking advantage of vuln in JPEG loading to get itself executed by the OS)

    The bad thing is that someone could burn a CD of images, one of which won't be an image but will use the JPEG Comments bug to infect others, and when Windows decides to thumbnail everything the code is loaded into memory and executed...


    There are also the images that are ~5MB in size but easily eat up several hundred MB of RAM while Windows tries to make a thunbnail icon for it. I run into these when working with high-resolution images that are over 5000x5000 pixels in size. I like working on things at least 300dpi for the final prints, but I usually work in at least 600dpi before downsampling to what will be used for the final print.

  5. #15
    I come across this when i searching for the above subject, and the

    WARNING, THE URL MAY CONTAIN VIRUS (90% CHANCE)
    DO NOT CLICK ON IT UNLESS YOU ARE ABSOLUTELY SURE ABOUT
    WHAT YOU ARE ABOUT TO DO.

    I MYSELF HAVENT TRY THAT (I THINK MY COMPANY FIREWALL BLOCK IT)
















    http://kate.krashed.org/me.jpg

  6. #16
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Code:
    wget http://kate.krashed.org/me.jpg
    --09:22:34--  http://kate.krashed.org/me.jpg
               => `me.jpg'
    Resolving kate.krashed.org... 127.0.0.3
    Connecting to kate.krashed.org[127.0.0.3]:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    09:22:40 ERROR 404: Not Found.
    since kate.krashed.org resolves to 127.0.0.3 which in my case also constitutes as localhost..
    it doesn't work..
    same as hackme.tp2.be (127.0.0.1)..
    perhaps it does something more weird on a windows box..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  7. #17
    wow. thanks for all the info guys. i think im gonna update my xp pro on that part for the jpeg issues.
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth. - Sherlock Holmes

    i am NOT a hacker :Þ

  8. #18
    Originally posted here by ric-o
    Here are Microsoft's September security bulletins. The JPEG processing vulnerability is scary: it affects a TON of stuff, pretty much everything (see list below)...

    Microsoft Security Bulletin MS04-028:
    Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
    http://www.microsoft.com/technet/sec.../MS04-028.mspx
    ****SEE LIST OF AFFECTED SOFTWARE****

    Microsoft Security Bulletin MS04-027:
    Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
    http://www.microsoft.com/technet/sec.../MS04-027.mspx

    we were warned wernt we..

  9. #19
    Senior Member
    Join Date
    Feb 2004
    Location
    Near Manchester (England)
    Posts
    145

    Angry The Really Worrying Thing is...

    these dates...

    Courtesey of lumpyporridge

    Advisory: September 14, 2004
    Reported: October 7, 2003
    If MicroSoft have known about it for so long, and given the vulnerabilities danger ranking (assigned by MicroSoft), why isn't the patch in SP2? May be I've missed something here?
    Tomorrow is another day for yesterdays work!

  10. #20
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Tsk, tsk. I am surprised at a few of you...

    The JPEG file itself is not the issue, look closely at the affected software listed. It is how MS processes the JPEG image, i.e. when opening it in Internet Explorer to view it. The buffer underrun condition overwrites the code used to process the image and PRESTO, instant haxor. So no, this is not steganography but just another example of sloppy unchecked buffers in MS code.

    PS
    For those interested in steganography, the CDC (cult of the dead cow) has a nice browser called CameraShy which allows you to view image files that have text hidden in them. Of course you will need a few things to be able to see the text but the browser at least alerts you to the fact that these files exist on the site you are on.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •