lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: dornseif at informatik.rwth-aachen.de (Maximillian Dornseif)
Subject: Advisory: JPEG EXIF information disclosure 

Advisory: JPEG EXIF information disclosure

The Laboratory for dependable Distributed Systems at RWTH Aachen  
University
likes to raise awareness of common Information Disclosure via
JPEG EXIF thumbnail images in common image processing software.

Details
=======

Product: Image processing software
Affected Version: various
Immune Version: unknown
OS affected: any
Security-Risk: Medium
Remote-Exploit: No
Advisory-URL:
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 
-008
Advisory-Status: public
CVE: CAN-2005-0406

Introduction
============

Images created by digital cameras and later cropped or otherwise
modified by applications like Adobe Photoshop often contain an
unmodified Version of the Image in the embedded thumbnail image. This
can result in information disclosure.

More Details
============

Digital cameras but also other device embed mini versions
("thumbnails") of the original image in a JPEG image file. Among others
one reason is that while flipping through images on the cameras small
display the camera does not need to decode and scale the full megapixel
picture. The standard to save this thumbnail and other information
within a  JPEG file is called EXIF. The EXIF standard states that image
processing software should leave EXIF headers it doesn't understand
alone.

This means that if an image from a digital camera is edited, e.g. by
making a face unrecognizable, and than the modified version is
published, chances are that the thumbnail still contains the unmodified
version with the unobstructed face. There might be situations where
also disclosure of other information in the EXIF header, like the date
and time the picture was taken or the model of the camera used, is
problematic.

We found that of the JPEG images on the Internet 20 % have a embedded
EXIF Thumbnail and about 2% have a thumbnail which our screening
software considered significantly different from the original image.
After human screening 0.1% can be considered to have thumbnails which
are more than just boring cropping differences.

If you have more Information on this issue we are eager to hear from  
you -
contact dornseif@...ormatik.rwth-aachen.de.


Proof of Concept
================

See http://blogs.23.nu/disLEXia/stories/5751/ for some example images.
See http://md.hudora.de/presentations/#hiddendata-21c3 for code to find
"interesting" images automatically.


Workaround
==========

There is specialized software available for removing EXIF information.
Use it.


Fix
===

Image processing software should either update or remove the EXIF
thumbnail.


Security Risk
=============

Our research indicates that around 0.001% of all images contain
seriously harmful information in the EXIF thumbnail.


History
=======

2003-07-xx tech.tv moderator incident - private parts in the thumbnail
2004-07-xx Maximillian Dornseif gets aware of this incident, discuss it
at Defcon 12
2004-10-xx Steven J. Murdoch creates exif_thumb to automatically screen
image. We learn that the problem is quite widespread and not an random
software glitch.
2004-12-28 Dornseif & Murdoch present the results form a large scale
survey of images on the internet at the 21. Chaos Communication
Congress
2004-02-12 CVE number requested
2004-02-14 posted to the public as CAN-2005-0406


RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find
more Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/



-- 
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Get news of the lab at   
http://mail-i4.informatik.rwth-aachen.de/mailman/listinfo/lufgtalk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2432 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050214/46d2637c/smime.bin

Powered by blists - more mailing lists