Re: Infected jpeg files?

From: HackHawk (hughat_private)
Date: Fri Nov 09 2001 - 21:40:16 PST

Next message: Oscar Batyrbaev: "Re: static dll's for windows buffer overflows"

Previous message: Evans, TJ: "RE: Shutting down windows NT remotely (without winnt toolkit)?"
Next in thread: Rob Salmond: "Re: Infected jpeg files?"
Reply: Rob Salmond: "Re: Infected jpeg files?"
Reply: Brad: "Re: Infected jpeg files?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This (finding an algorithm flaw) is the most interesting post I've seen 
about infecting JPEG images.

However, I've seen no mention of files on the Macintosh.  Isn't it true 
that on a Macintosh, you can give an executable file ANY extension you 
want?  And isn't it also true that you can associate ANY image you want 
with your executable file?

A MAC friend of mine once showed me how he got somebody to open a Mac 
Script file because the target thought it was a zipped archive of some 
sort.  The script setup a special access password on the targets system, 
then downloaded and opened the actual archive from somewhere else.

I spent a few hours attempting to create such a file using Code Warrior on 
the MAC a few months back, but due to lack of time gave up the effort.  I 
was able to name an executable with any extension I wanted (.JPG to be 
precise), but I was never able to associate the image I wanted with the 
executable file.

Any MAC people want to correct my belief if it is incorrect?

- hh

At 09:13 AM 11/9/01 -0800, J Edgar Hoover wrote:

>On Tue, 6 Nov 2001 joveat_private wrote:
>
> >       If there was some sort of buffer overflow/other way of causing the
> > code to function in a manner inconsistant with it's design due to the
> > content/formatting of the .jpg image then yes, there could be a payload
> > designed to be set off upon viewing of the .jpg image.  Otherwise, the
> > .jpg image specifies (simplified) values of pixels in a compressed format
> > and thus the .jpg specification does not include the ability to run code
> > by default.
>
>The most likely route to an overflow is probably through one of the
>compression algorithms. Something similar to the massively compressed huge
>file that DoS'es antivirus scanners.
>
>Find a bug in any one of the "family of compression algorithms" supported
>by the standard that allows you to write 'image data' past the end of the
>allocated buffer.
>
>Cross-platform shellcode written to the most likely offsets for common
>architectures could effect a lot of boxes.
>
>I'll bet the specs aren't available online for a reason. ;]
>
>If anybody can fork me a copy, I'll work on a proof of concept.
>
>
>z

Next message: Oscar Batyrbaev: "Re: static dll's for windows buffer overflows"
Previous message: Evans, TJ: "RE: Shutting down windows NT remotely (without winnt toolkit)?"
Next in thread: Rob Salmond: "Re: Infected jpeg files?"
Reply: Rob Salmond: "Re: Infected jpeg files?"
Reply: Brad: "Re: Infected jpeg files?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 22:19:05 PST