lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <414AB191.9090801@linuxbox.org>
Date: Fri, 17 Sep 2004 11:42:41 +0200
From: Gadi Evron <ge@...uxbox.org>
To: admin@...loitwatch.org
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
   vulnwatch@...nwatch.org
Subject: Re: [exploitwatch.org] ALERT: Windows XP JPEG Buffer
 Overflow POC Exploit


admin@...loitwatch.org wrote:

> A PoC for the Windows XP JPEG has been published. Because of the potential
> impact, it is anticipated that this exploit will be widely used by worms and
> other malware within a short period of time.
> 
> http://www.gulftech.org/?node=downloads

It might indeed, but I see it more as evolution.
First there were simple URL's with malicious content.
Then there were pictures which were actually HTML code (404 thing).
Then we saw HTML pages with actual pictures in them.

Now this.

It's natural evolution and would help spamed-URL malware a bit IF it 
ends up being easy enough to exploit it, and then some easy-to-use kit 
is created. These factors will determine how wide-used it will be.

BMP was hit before, and jpeg got hit back with Netscape and there was no 
big buzz.. This could end up being an issue for the media and AV 
companies to blow out of proportion, and it may actually be used in some 
Trojan horse or worm.

I'm a bit more worried about email threats.. the last thing we need, 
much like vmyths said, was scared admins blocking jpegs at the gateway.

Download the patches and you will be fine (if you get through it without 
an heart attack).

This *IS* an actual exploit and therefore, unlike vmyths - I believe it 
is more than possible a worm (or worms) will show up, but unlike other 
exploits of the past I wouldn't jump to any conclusions quite yet as to 
how big it is going to be, or how soon we will see it used.

Do your security and see how things develop. Why contribute to the media 
frenzy? There is no call for it.

I'm usually the one to call a date, this time I am the one to call "You 
said there's an exploit, fine! Who said you can scare everybody?" and 
that's meant not directly to you, but quite a few people.

Also - unrelated to this exploit, although jpeg is a pretty compressed 
format, it is a very orderly one. Anyone up on their jpeg technology to 
make a small program for checking if a jpeg was altered or some blurb 
was added to it inside?

	Gadi Evron.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ