Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Infected jpeg files?

Re: Infected jpeg files?

From: zen-parse <zen-parse_at_gmx.net>
Date: Fri, 9 Nov 2001 23:41:07 +1300 (NZDT)

> Is it possible to get infected by just viewing jpeg files?

Hmm. Potentially. With conditions.

I released an exploit for xloadimage, which exploited an overflow in the
handling of a particular image format that would allow execution of code.

xloadimage was set as the default handler for TIFF format images for
netscape under redhat 7.0.

The actual format used was FACES, but by putting the extension .tif on the
file, the webserver it was on sent it as the mime-type image/x-tiff and as
xloadimage doesn't use the extension to determine file types, it was able
to try deal with it, and be exploited. The code would also be executed
'on the ground' if you viewed the file with xloadimage.

If the program used to view the image wasn't vulnerable, the file
displayed as a light grey square, otherwise it executed the shellcode,
which caused a bind shell to be executed. By replacing the shellcode with
other code, it would potentially be possible to infect other files of the
appropriate format. (This would probably be quite easy to develop, because
there is not the same problem of not being allowed 0x00 in image files as
their is in many other exploits that require shellcode.)

However, this approach requires an exploitable bug in a viewer program,
and for most image formats would require corrupting the file in some
manner that would make it not display properly for other viewers.

And using a bug like this to spread viruses would be kind of lame, IMO.

I played with other formats that xloadimage would handle, and while I was
able to get it to segfault with jpeg (and other format) images, I found
the FACEs format was easy to exploit, and didn't look very hard at any
other format.

-- zen-parse 

--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.  
If this message was posted by zen-parse_at_gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
Received on Nov 09 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos