> Is it possible to get infected by just viewing jpeg files? Hmm. Potentially. With conditions. I released an exploit for xloadimage, which exploited an overflow in the handling of a particular image format that would allow execution of code. xloadimage was set as the default handler for TIFF format images for netscape under redhat 7.0. The actual format used was FACES, but by putting the extension .tif on the file, the webserver it was on sent it as the mime-type image/x-tiff and as xloadimage doesn't use the extension to determine file types, it was able to try deal with it, and be exploited. The code would also be executed 'on the ground' if you viewed the file with xloadimage. If the program used to view the image wasn't vulnerable, the file displayed as a light grey square, otherwise it executed the shellcode, which caused a bind shell to be executed. By replacing the shellcode with other code, it would potentially be possible to infect other files of the appropriate format. (This would probably be quite easy to develop, because there is not the same problem of not being allowed 0x00 in image files as their is in many other exploits that require shellcode.) However, this approach requires an exploitable bug in a viewer program, and for most image formats would require corrupting the file in some manner that would make it not display properly for other viewers. And using a bug like this to spread viruses would be kind of lame, IMO. I played with other formats that xloadimage would handle, and while I was able to get it to segfault with jpeg (and other format) images, I found the FACEs format was easy to exploit, and didn't look very hard at any other format. -- zen-parse -- ------------------------------------------------------------------------- The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this. If this message was posted by zen-parseat_private to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you.
This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 11:32:20 PST