i saw this article: http://story.news.yahoo.com/news?tmp...ft_security_dc
hackers now use jpeg?
hmnnn
Printable View
i saw this article: http://story.news.yahoo.com/news?tmp...ft_security_dc
hackers now use jpeg?
hmnnn
It's this response from MS that I'm not clear on:
Does that mean you have to do something more than just view the picture? If so, it wouldn't be that big a deal, just another naive user issue, no different than them opening zip files they shouldn't open.Quote:
"The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image."
good point. yes. but this is different. eversince the web came into birth, hackers havent been able to do much with graphic files (as far as i know). and many users nowadays know not to press "yes" whenever security-related popups comes into view.
let's see how this issue goes.
I suspect there's a bit of media hype / scaremongering in there too, given that the vulnerability is related to jpeg's!
It wouldn't be too hard to get a user to open a specially crafted jpeg now would it? Something like Pamela.jpg is very inticing to a large percentage of the male population. Similarly brad.jpg for the ladies!
I wonder how long it will be till the first exploit of this vulnerability?
Any one else have any more information, or can shed more light on this?
Wasn't embedding text within a jpeg used in some situations? Would embedding text/code in a gif animation be possible as long as the gif image is allowed to run?
Good Evening,
You folks are talking about Steganography, commonly called “Stego”. It is a boon for two folks that want to have private conversations and it can even be encrypted. The information is placed in the least significant bit of a JPEG and other types. Kinda like spy stuff. It can be a nightmare for Corporations wherein their secrets can go out the door.
The manner in which the information, stolen secrets, including:. Exe (read trojans, viruses and the like), .doc files, etc., is hidden, is usually completed one of three ways. The first is Substitution, where unimportant info in the original file is replaced. The second is Injection, where info is place in areas that are usually ignored like the end of file marks. And the last is Generation, where a file or picture is made using your covert stuff.
And the rest is in google ;)
cheers
Yes, infact, the US cyber division is working on that very thing. Terrorists are putting secret information in graphics. They usually don't hide them in arabic sites though, they found out that porn sites are very popular to hide them in. They do this because the US least expects that from the arab nations, which is highly against pornographic materials.
from the horses mouth http://www.microsoft.com/technet/sec.../ms04-028.mspx
edit more detail ---
(note reported date, ooooouch)
Advisory: September 14, 2004
Reported: October 7, 2003
Systems affected based on testing:
Windows XP SP0,SP1,SP1a (Home & Pro)
Systems potentially affected based on Microsoft's DLL Help Database
(there may be others):
gdiplus.dll 5.2.3790.0
Windows Server 2003 Data Center
Windows Server 2003 Enterprise
Windows Server 2003 Standard
Windows Server 2003 Web Edition
gdiplus.dll 5.1.3100.0
Microsoft Visual Studio .NET (2003) Enterprise Architect
gdiplus.dll 5.1.3097.0
Microsoft Visual Studio .NET (2002) Enterprise Architect
Microsoft Visual Studio .NET (2002) Enterprise Developer
Microsoft Visual Studio .NET (2002) Professional
Microsoft Visual Studio .NET (2003) Enterprise Architect
Visual Basic .NET Standard 2002
Visual C# .NET Standard 2002
Visual C++ .NET Standard 2002
Windows XP Home 2002
Windows XP Professional 2002
gdiplus.dll 5.1.3079.3
Microsoft Visual Studio .NET (2002) Enterprise Architect
Visio 2002 Professional
Visio 2002 Standard
Description
------------------------
The JPEG parsing engine included in GDIPlus.dll contains an
exploitable buffer overflow. When a specially crafted JPEG image is
accessed through the Windows XP shell, a buffer overflow occurs
potentially allowing an attacker to run arbitrary code on the
affected system. Due to the pervasiveness of the affected dll there
may be other vulnerable attack vectors.
Technical
------------------------
JPEG Comment sections (COM) allow for the embedding of comment data
into a JPEG image. COM sections are marked beginning with 0xFFFE
followed by a 16 bit unsigned integer in network byte order giving
the total comment length + the 2 bytes for the length field; a
single JPEG COM section could therefore contain 65533 bytes of
invisible data (invisible in the sense that it's not rendered as
part of the image). Because the JPEG COM field length variable is 2
bytes wide, and itself is included in the length value, the minimum
value for this field is 2, this implies an empty comment. If the
comment length value is set to 1 or 0, a buffer overflow occurs
overwriting heap management structures.
The problem is GDIPlus normalizes the COM length prior to checking
it's value; a starting length of 0 becomes -2 after normalization
(0xFFFE unsigned), this value is converted to the 32 bit value
0xFFFFFFFE and is eventually passed on to memcpy which attempts to
copy ~4G bytes into heap memory.
eEye Digital Security analyzed the bug and found that heap
management structures are left in an inconsistent state with
execution eventually reaching heap unlink instructions within
RTLFreeHeap with EAX pointing to a pointer to data we control and we
have direct control of EDX.
Vendor Status
------------------------
Patch available MS04-028 (833987)
http://www.microsoft.com/technet/sec.../ms04-028.mspx
Detection
------------------------
Detection could be accomplished by examining the JPEG image for the
following byte sequence:
0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01
Credits
------------------------
Nick DeBaggis - Discovery, analysis, and advisory.
Special thanks to eEye Digital Security www.eeye.com - Detailed
vulnerability analysis, initial and ongoing vendor contact.
I can't seem to find the thread at the moment... but I remember not too long ago someone was saying that it was possible to infect an image with a virus and in turn infect the user who opens the "image". The poster even attached a proof of concept...
I've tried searching for the thread... but I can't find it now and I don't remember who made these claims... but I know they backed them up...
Anyone else remember that?
phishphreek80:
I dont know if this is what you are remembering, but there was an exploit for the linux image manipulation program XV. Heres a link in bugtraq with source:
http://msgs.securepoint.com/cgi-bin/...q0408/186.html
Maybe it will look familiar?
As for this new buffer overflow, I havent seen any exploit code anywhere yet and M$ says they havent either, but I wouldnt trust them. AngelicKnight, you would just have to view the picture to get the virus/code to execute on your computer from what I understand, so looking at pop-ups, email, banners, avatars, etc could get you infected.
Phish-
That thread was BS. He claimed a jpeg would infect any picture viewer, it was really just a .exe renamed as .jpg or something silly. I think the threads author was Grim_reaper or something similar.
As for the exploit....
All it takes is a creative vector to pull it off... Similar to the latest winamp exploit.
http://www.microsoft.com/technet/sec.../ms04-028.mspxQuote:
AngelicKnight, you would just have to view the picture to get the virus/code to execute on your computer from what I understand, so looking at pop-ups, email, banners, avatars, etc could get you infected.
Theres a list in that link of exploitable software... It would have to be ran in that enviroment to be exploitable. In the list of software that isn't affected, is IE. So avatars, banners, pop-ups... not vulnerable. Unless the vector involves IE.
Search for posts by Grim Reaper..
Yes there is such a "Virus" BUT it is in two parts.. the first is the "Extraction" program the other was the "infected" Jpg.. the infection was imbeded in the image useing Stegnos methods..
This exploite works on the "Comment" section of the file and how MS products handle the file.. this is different to stegnos.(useing redundent bits).
Cheers
You use to be able to feed AT modem line commands through an ascii picture... I remember all of the dialup BBS's having a lot of fun with that one...
This new bug is pretty nasty.. I like how they say it doesn't affect Win2k unless you are running IE6SP2.. Umm.. how could you not be running IE?? hehe.. definitely make sure that IE isn't opening up any graphic files, or any type of files for that matter..
Well, nobody said the JPEG file had to acturally be an image! The moment MS products try to render the JPEG, they copy 4GB of data onto the heap, with whatever this JPEG had inside of it going there. So simply put, this isn't acturally a JPEG that is an image, it is simply an executable that pretends to be an image so that when someone tries to open the image the code it has is copied straight to where it gets executed, and the image doesn't load because it appears to be corrupt. (Just an executable taking advantage of vuln in JPEG loading to get itself executed by the OS)
The bad thing is that someone could burn a CD of images, one of which won't be an image but will use the JPEG Comments bug to infect others, and when Windows decides to thumbnail everything the code is loaded into memory and executed...
There are also the images that are ~5MB in size but easily eat up several hundred MB of RAM while Windows tries to make a thunbnail icon for it. I run into these when working with high-resolution images that are over 5000x5000 pixels in size. I like working on things at least 300dpi for the final prints, but I usually work in at least 600dpi before downsampling to what will be used for the final print.
I come across this when i searching for the above subject, and the
WARNING, THE URL MAY CONTAIN VIRUS (90% CHANCE)
DO NOT CLICK ON IT UNLESS YOU ARE ABSOLUTELY SURE ABOUT
WHAT YOU ARE ABOUT TO DO.
I MYSELF HAVENT TRY THAT (I THINK MY COMPANY FIREWALL BLOCK IT)
http://kate.krashed.org/me.jpg
since kate.krashed.org resolves to 127.0.0.3 which in my case also constitutes as localhost..Code:wget http://kate.krashed.org/me.jpg
--09:22:34-- http://kate.krashed.org/me.jpg
=> `me.jpg'
Resolving kate.krashed.org... 127.0.0.3
Connecting to kate.krashed.org[127.0.0.3]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
09:22:40 ERROR 404: Not Found.
it doesn't work..
same as hackme.tp2.be (127.0.0.1)..
perhaps it does something more weird on a windows box..
wow. thanks for all the info guys. i think im gonna update my xp pro on that part for the jpeg issues.
Quote:
Originally posted here by ric-o
Here are Microsoft's September security bulletins. The JPEG processing vulnerability is scary: it affects a TON of stuff, pretty much everything (see list below)...
Microsoft Security Bulletin MS04-028:
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
http://www.microsoft.com/technet/sec.../MS04-028.mspx
****SEE LIST OF AFFECTED SOFTWARE****
Microsoft Security Bulletin MS04-027:
Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
http://www.microsoft.com/technet/sec.../MS04-027.mspx
we were warned wernt we..
these dates...
If MicroSoft have known about it for so long, and given the vulnerabilities danger ranking (assigned by MicroSoft), why isn't the patch in SP2? May be I've missed something here?Quote:
Courtesey of lumpyporridge
Advisory: September 14, 2004
Reported: October 7, 2003
Tsk, tsk. I am surprised at a few of you...
The JPEG file itself is not the issue, look closely at the affected software listed. It is how MS processes the JPEG image, i.e. when opening it in Internet Explorer to view it. The buffer underrun condition overwrites the code used to process the image and PRESTO, instant haxor. So no, this is not steganography but just another example of sloppy unchecked buffers in MS code.
PS
For those interested in steganography, the CDC (cult of the dead cow) has a nice browser called CameraShy which allows you to view image files that have text hidden in them. Of course you will need a few things to be able to see the text but the browser at least alerts you to the fact that these files exist on the site you are on.
Quote:
Originally posted here by Simple Simon
these dates...
If MicroSoft have known about it for so long, and given the vulnerabilities danger ranking (assigned by MicroSoft), why isn't the patch in SP2? May be I've missed something here?
This bug is obviously involved with some code that is pretty tightly woven into the OS.. Just look at how wide spread the problem is to see how common this code is. I'm sure most of the time spent on this bug was fixing the extensive coding issue that they obviously have. Eeye is a damn good vulnerability finder, so I'm sure it didn't take more than a couple of days for MS to verify what Eeye gave them. It really isn't easy to update code on that many different products. A lot of compatibility testing is involved. Because you know if they released a patch that crashed the server they would be crucified for it.
Crucufied if you do, crucified if you don't.......Quote:
Because you know if they released a patch that crashed the server they would be crucified for it.
The benefit here is that EEye found it a year ago and it wasn't exploited to any degree known. Thus, the non-disclosure works. M$ had time to deal with an inherent issue in many of it's products, they obviously kept in touch with EEye as to their progress which kept EEye from going to full disclosure. OTOH, it was sufficiently "secure/obscure" that it took EEye to find it and for the most part we have to think that it went undiscovered by those with malicious intent otherwise it would have become "non-zero day" prior to the patch.
Applause to all involved from me.... it was done right.
Found this today and thought it may help to learn about this jpeg discussion
Microsoft warns of poisoned picture peril
By Kevin Poulsen, SecurityFocus Sep 14 2004 5:54PM
The old bromide that promises you can't get a computer virus by looking at an image file crumbled a bit further Tuesday when Microsoft announced a critical vulnerability in its software's handling of the ubiquitous JPEG graphics format.
The security hole is a buffer overflow that potentially allows an attacker to craft a special JPEG file that would take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs. The poisoned picture could be displayed on a website, sent in e-mail, or circulated on a P2P network.
Windows XP, Windows Server 2003 and Office XP are vulnerable. Older versions of Windows are also at risk if the user has installed any of a dozen other Microsoft applications that use the same flawed code, the company said in its advisory. The newly-released Windows XP Service Pack 2 does not contain the hole, but vulnerable versions of Office running atop it can still be attacked if left unpatched. Patches are available from Microsoft's website.
The company said it's not aware of the hole being publicly exploited in the wild, and has not seen any examples of proof of concept code.
The JPEG bug rounds out a growing menagerie of vulnerabilities in code that displays image files. Mozilla developers last month patched the open-source browser against a critical hole discovered in a widely-deployed library for processing PNG images. And last July, Microsoft simultaneously fixed two image display holes in Internet Explorer: one made users potentially vulnerable to maliciously-crafted BMP images, the second to corrupt GIF files. The GIF bug had been publicly disclosed 11 months earlier.
There was a time when the idea of a malicious image file was absurd enough to be the topic of an April Fools joke. One early and widely-circulated hoax message dating from 1994 warned users of a computer virus infecting the comment field of JPEG files.
"It was someone saying that just looking at a JPEG on your screen can get you a virus," recalls Rob Rosenberg, editor of the debunking site Vmyths.com. "In '94 it was a myth, but in '04 it's the real thing... We've got the JPEG of death now."