lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <415999E9.5020403@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Re: Full-Disclosure digest, Vol 1 #1933 - 20
 msgs

milw0rm Inc. wrote:

>JPEG GDI problem,
>
>Isn't this problem only capable of running if the jpeg was opened via
>the users actions?
>
>Is it possible that webpages could be effected with jpegs with
>internet explorer viewing them?  I wouldn't think so since what I have
>read from multiple peoples articles that it isn't this kind of bug.
>
>Info needed.
>
>Regards,
>str0ke
>
>
>  
>
Here's my understanding of it:

The bug can be exploited whenever an application that relies on a 
vulnerable version of gdiplus.dll to render jpeg image files onscreen 
(Or, I suppose, in any other way that gdiplus.dll can be used to process 
jpegs - I'm not familiar with the GDI+ interface). 

That includes IE, Office applications, or anything that relies on a 
vulnerable gdiplus.dll file. 

What are the ramifications of this?

I think that the predictions of worms based on this are a bit 
far-fetched.  Would it be possible to create a jpeg that would copy 
itself to other drives on a shared network in an auto-executable 
position?  I suppose so... however, it would be noisy and probably 
wouldn't be amazingly successful.  Having a worm installer within a jpeg 
is plausable, though.

I'd consider the following scenarios to be plausable:

       - JPEG in nefarious web page includes malicious code.
       - JPEG in SPAM includes malicious code.
       - JPEG in mass-mailer worm includes malicious code.
       - JPEG in ad pop-up/sidebar includes adware/spyware installer. 
(malicious)
       - Mass-mailer worm includes an attachment for a known vulnerable 
third-party program that trigger the GDI+ vuln.  (how sucessful this 
might be would depend          on the application being attacked.)
       - Download.Jecht style mass-compromise of websites to embed 
malicious code inside of JPEGs.

Those are the most plausable scenarios I can think up for this.  
Anything else is unlikely in my thoughts.

                   -Barry





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ