[ISN] Malicious GIF conceals PHP attack

From: InfoSec News (alerts@private)
Date: Fri Jun 22 2007 - 00:02:53 PDT


http://www.techworld.com/security/news/index.cfm?newsID=9240

By Matthew Broersma
Techworld
21 June 2007

Hackers have begun circulating a PHP exploit embedding it in a seemingly 
harmless GIF image, according to security researchers.

The exploit was discovered in at least one GIF on a major image-hosting 
website, according to a bulletin [1] from the SANS Institute's Internet 
Storm Center (ISC) on Tuesday.

"It's interesting and scary to find a file that acts like a regular GIF 
file, but contains a script exploit," said SANS ISC handler Lorna 
Hutcheson in the bulletin.

The exploit, coded in PHP script, could be a dangerous new development, 
Hutcheson said.

"Interestingly enough, the file itself contains a completely legitimate 
1x1 gif image at the beginning of the file," she wrote. "It is a clever 
way to pass exploit code to others without it setting off alarms or 
attracting attention all while bypassing network security tools."

She also suggested the technique could be used to create a Remote File 
Inclusion attack, an attack that lets hackers run their own malicious 
code on an otherwise harmless website.

[1] http://isc2.sans.org/diary.html?storyid=2997


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 22 2007 - 00:17:41 PDT