i saw this article: http://story.news.yahoo.com/news?tmp...ft_security_dc
hackers now use jpeg?
hmnnn
Printable View
i saw this article: http://story.news.yahoo.com/news?tmp...ft_security_dc
hackers now use jpeg?
hmnnn
It's this response from MS that I'm not clear on:
Does that mean you have to do something more than just view the picture? If so, it wouldn't be that big a deal, just another naive user issue, no different than them opening zip files they shouldn't open.Quote:
"The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image."
good point. yes. but this is different. eversince the web came into birth, hackers havent been able to do much with graphic files (as far as i know). and many users nowadays know not to press "yes" whenever security-related popups comes into view.
let's see how this issue goes.
I suspect there's a bit of media hype / scaremongering in there too, given that the vulnerability is related to jpeg's!
It wouldn't be too hard to get a user to open a specially crafted jpeg now would it? Something like Pamela.jpg is very inticing to a large percentage of the male population. Similarly brad.jpg for the ladies!
I wonder how long it will be till the first exploit of this vulnerability?
Any one else have any more information, or can shed more light on this?
Wasn't embedding text within a jpeg used in some situations? Would embedding text/code in a gif animation be possible as long as the gif image is allowed to run?
Good Evening,
You folks are talking about Steganography, commonly called “Stego”. It is a boon for two folks that want to have private conversations and it can even be encrypted. The information is placed in the least significant bit of a JPEG and other types. Kinda like spy stuff. It can be a nightmare for Corporations wherein their secrets can go out the door.
The manner in which the information, stolen secrets, including:. Exe (read trojans, viruses and the like), .doc files, etc., is hidden, is usually completed one of three ways. The first is Substitution, where unimportant info in the original file is replaced. The second is Injection, where info is place in areas that are usually ignored like the end of file marks. And the last is Generation, where a file or picture is made using your covert stuff.
And the rest is in google ;)
cheers
Yes, infact, the US cyber division is working on that very thing. Terrorists are putting secret information in graphics. They usually don't hide them in arabic sites though, they found out that porn sites are very popular to hide them in. They do this because the US least expects that from the arab nations, which is highly against pornographic materials.
from the horses mouth http://www.microsoft.com/technet/sec.../ms04-028.mspx
edit more detail ---
(note reported date, ooooouch)
Advisory: September 14, 2004
Reported: October 7, 2003
Systems affected based on testing:
Windows XP SP0,SP1,SP1a (Home & Pro)
Systems potentially affected based on Microsoft's DLL Help Database
(there may be others):
gdiplus.dll 5.2.3790.0
Windows Server 2003 Data Center
Windows Server 2003 Enterprise
Windows Server 2003 Standard
Windows Server 2003 Web Edition
gdiplus.dll 5.1.3100.0
Microsoft Visual Studio .NET (2003) Enterprise Architect
gdiplus.dll 5.1.3097.0
Microsoft Visual Studio .NET (2002) Enterprise Architect
Microsoft Visual Studio .NET (2002) Enterprise Developer
Microsoft Visual Studio .NET (2002) Professional
Microsoft Visual Studio .NET (2003) Enterprise Architect
Visual Basic .NET Standard 2002
Visual C# .NET Standard 2002
Visual C++ .NET Standard 2002
Windows XP Home 2002
Windows XP Professional 2002
gdiplus.dll 5.1.3079.3
Microsoft Visual Studio .NET (2002) Enterprise Architect
Visio 2002 Professional
Visio 2002 Standard
Description
------------------------
The JPEG parsing engine included in GDIPlus.dll contains an
exploitable buffer overflow. When a specially crafted JPEG image is
accessed through the Windows XP shell, a buffer overflow occurs
potentially allowing an attacker to run arbitrary code on the
affected system. Due to the pervasiveness of the affected dll there
may be other vulnerable attack vectors.
Technical
------------------------
JPEG Comment sections (COM) allow for the embedding of comment data
into a JPEG image. COM sections are marked beginning with 0xFFFE
followed by a 16 bit unsigned integer in network byte order giving
the total comment length + the 2 bytes for the length field; a
single JPEG COM section could therefore contain 65533 bytes of
invisible data (invisible in the sense that it's not rendered as
part of the image). Because the JPEG COM field length variable is 2
bytes wide, and itself is included in the length value, the minimum
value for this field is 2, this implies an empty comment. If the
comment length value is set to 1 or 0, a buffer overflow occurs
overwriting heap management structures.
The problem is GDIPlus normalizes the COM length prior to checking
it's value; a starting length of 0 becomes -2 after normalization
(0xFFFE unsigned), this value is converted to the 32 bit value
0xFFFFFFFE and is eventually passed on to memcpy which attempts to
copy ~4G bytes into heap memory.
eEye Digital Security analyzed the bug and found that heap
management structures are left in an inconsistent state with
execution eventually reaching heap unlink instructions within
RTLFreeHeap with EAX pointing to a pointer to data we control and we
have direct control of EDX.
Vendor Status
------------------------
Patch available MS04-028 (833987)
http://www.microsoft.com/technet/sec.../ms04-028.mspx
Detection
------------------------
Detection could be accomplished by examining the JPEG image for the
following byte sequence:
0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01
Credits
------------------------
Nick DeBaggis - Discovery, analysis, and advisory.
Special thanks to eEye Digital Security www.eeye.com - Detailed
vulnerability analysis, initial and ongoing vendor contact.
I can't seem to find the thread at the moment... but I remember not too long ago someone was saying that it was possible to infect an image with a virus and in turn infect the user who opens the "image". The poster even attached a proof of concept...
I've tried searching for the thread... but I can't find it now and I don't remember who made these claims... but I know they backed them up...
Anyone else remember that?
phishphreek80:
I dont know if this is what you are remembering, but there was an exploit for the linux image manipulation program XV. Heres a link in bugtraq with source:
http://msgs.securepoint.com/cgi-bin/...q0408/186.html
Maybe it will look familiar?
As for this new buffer overflow, I havent seen any exploit code anywhere yet and M$ says they havent either, but I wouldnt trust them. AngelicKnight, you would just have to view the picture to get the virus/code to execute on your computer from what I understand, so looking at pop-ups, email, banners, avatars, etc could get you infected.