Re: Infected jpeg files?

From: Mathias Dybvik (tmdybvikat_private)
Date: Thu Nov 08 2001 - 23:39:38 PST

Next message: ARAI Yuu: "Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow"

Previous message: Blue Boar: "Re: Infected jpeg files?"
In reply to: rginskiat_private: "Infected jpeg files?"
Next in thread: Chan, Stephen (TIS, Singapore): "RE: Infected jpeg files?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The jpeg standard does not encompass any form of executable code in the jpeg
itself. Any code you injected into a jpeg document would not be executed by the viewer.

There is one exception to this:

If there is a certain vulnerability/problem with a particular jpeg viewer,
then it is theoretically possible to cause various forms of overflows,
and possibly executing code in the viewer/client environment, by extremely
carefully crafted pictures. This carefully crafted code would then have to 
have enough payload to reproduce, i.e. introduce a copy of itself into another jpeg
file. 

This scenario sounds like it has probability greater than zero, yet would be very hard
to implement reliably. Any implementation would likely only work on one particular 
version of one particular jpeg viewer, possibly only on one particular machine/software 
configuration. 

More fun use of jpeg viewer problems would probably be to upload jpegs to
your web site that selectively crashed viewers/browsers you don't like. :)

Steganography is information hiding. Your problem is not to hide information,
but to have that information interpreted as code, and executed. 

The classic *illusion* of an executable jpeg, however, is the
"my_picture.jpg.vbs" trick, which fools a lot of windows users that are
using default settings in their file viewer. If you have "hide known
extensions" enabled, then yes, it *is* possible to get infected by opening a
file that *seems to be* a jpg file (but it isn't).

Mathias Dybvik

On Wed, Nov 07, 2001 at 01:22:40AM -0000, rginskiat_private wrote:
> Mailer: SecurityFocus
> 
> Is it possible for a virus to infect a jpeg (*.jpg) file, 
> then the jpg file to infect other files?...without 
> changing the files characteristics? In other words, a 
> jpeg file (file.jpg) is infected and it 
> remains "infected_file.jpg". It is possible for a file type 
> as jpeg to have a payload or cause damage although 
> it's just being viewed? Perhaps something like 
> steganagraphy...except embedding vbs (or 
> something) causing infection by way of the viewer? I 
> guess another way of asking the question is:
> 
> Is it possible to get infected by just viewing jpeg files?

Next message: ARAI Yuu: "Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow"
Previous message: Blue Boar: "Re: Infected jpeg files?"
In reply to: rginskiat_private: "Infected jpeg files?"
Next in thread: Chan, Stephen (TIS, Singapore): "RE: Infected jpeg files?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 00:30:41 PST