Re: Infected jpeg files?

From: zen-parse (zen-parseat_private)
Date: Fri Nov 09 2001 - 02:41:07 PST

Next message: Matias Sedalo: "Re: vi buffer overflow"

Previous message: Robert Jaroszuk: "Re: vi buffer overflow"
Maybe in reply to: rginskiat_private: "Infected jpeg files?"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Infected jpeg files?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Is it possible to get infected by just viewing jpeg files?

Hmm. Potentially. With conditions.

I released an exploit for xloadimage, which exploited an overflow in the 
handling of a particular image format that would allow execution of code.

xloadimage was set as the default handler for TIFF format images for 
netscape under redhat 7.0. 

The actual format used was FACES, but by putting the extension .tif on the
file, the webserver it was on sent it as the mime-type image/x-tiff and as
xloadimage doesn't use the extension to determine file types, it was able
to try deal with it, and be exploited.  The code would also be executed
'on the ground' if you viewed the file with xloadimage.

If the program used to view the image wasn't vulnerable, the file
displayed as a light grey square, otherwise it executed the shellcode,
which caused a bind shell to be executed. By replacing the shellcode with
other code, it would potentially be possible to infect other files of the
appropriate format. (This would probably be quite easy to develop, because
there is not the same problem of not being allowed 0x00 in image files as
their is in many other exploits that require shellcode.)

However, this approach requires an exploitable bug in a viewer program,
and for most image formats would require corrupting the file in some
manner that would make it not display properly for other viewers.

And using a bug like this to spread viruses would be kind of lame, IMO.

I played with other formats that xloadimage would handle, and while I was
able to get it to segfault with jpeg (and other format) images, I found
the FACEs format was easy to exploit, and didn't look very hard at any
other format.

-- zen-parse

--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.  
If this message was posted by zen-parseat_private to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.

Next message: Matias Sedalo: "Re: vi buffer overflow"
Previous message: Robert Jaroszuk: "Re: vi buffer overflow"
Maybe in reply to: rginskiat_private: "Infected jpeg files?"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Infected jpeg files?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 11:32:20 PST