Vulnerability Development: Re: Infected jpeg files?

["Brad" <gryphonn () austarnet com au>]

On 9 Nov 2001 at 21:40, HackHawk wrote:

Date sent:              Fri, 09 Nov 2001 21:40:16 -0800
To:                     <vuln-dev () securityfocus com>
From:                   HackHawk <hugh () hackhawk net>
Subject:                Re: Infected jpeg files?
Copies to:              <rginski () co pinellas fl us>, <jove () gaza halo nu>,
        J Edgar Hoover <zorch () totally righteous net>

> This (finding an algorithm flaw) is the most interesting post I've seen 
> about infecting JPEG images.
>
> However, I've seen no mention of files on the Macintosh.  Isn't it true 
> that on a Macintosh, you can give an executable file ANY extension you 
> want?  And isn't it also true that you can associate ANY image you want 
> with your executable file?
>
> A MAC friend of mine once showed me how he got somebody to open a Mac 
> Script file because the target thought it was a zipped archive of some 
> sort.  The script setup a special access password on the targets system, 
> then downloaded and opened the actual archive from somewhere else.
>
> I spent a few hours attempting to create such a file using Code Warrior on 
> the MAC a few months back, but due to lack of time gave up the effort.  I 
> was able to name an executable with any extension I wanted (.JPG to be 
> precise), but I was never able to associate the image I wanted with the 
> executable file.
>
> Any MAC people want to correct my belief if it is incorrect?
>
> - hh
Hi all

Last week I was troubleshooting a jpeg viewing problem with a number of workstations. What was happening was certain 
w/station users couldn't view a particular image 
that had been mailed out for staff information (Xmas card design).
It turned out that the image was created on a Mac in Photoshop and was saved as a jpeg in CMYK format. The image itself 
had extra header information (as opposed to a 
jpeg saved in RGB format) that IE could not decipher. This problem was only affecting those users who still had IE as 
the default viewer for jpeg files. Any other image 
viewer seemed to parse the image and display it OK, except MS paint, which crashed. Resaving the image as a jpeg 
through an image viewer such as Irfanview removed 
the offending extra header information and resolved the IE problem (I didn't check MS Paint).
IE was tied up in some sort of processing *after* the default 'red cross' icon for a non-viewable image was displayed. 
I'm no coding guru, but thought that there may be 
potential there to embed some code in those extra headers to cause IE to process that code. If anyone is interested in 
playing with this idea, e-mail me off-list and I'll 
organize to e-mail you both variants of the same file on Monday. *If* this is possible, there are an awful lot of IE 
browsers still set as the default image viewer for jpegs out 
there. 

Cheers,
 


--  
Brad Griffin
Gryphonn Design
Rockhampton QLD, Aust. 4700
ABN: 12 095 821 961
***************************