Full Disclosure mailing list archives

Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs

From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Tue, 28 Sep 2004 13:05:45 -0400

milw0rm Inc. wrote:

JPEG GDI problem,

Isn't this problem only capable of running if the jpeg was opened via
the users actions?

Is it possible that webpages could be effected with jpegs with
internet explorer viewing them?  I wouldn't think so since what I have
read from multiple peoples articles that it isn't this kind of bug.

Info needed.

Regards,
str0ke

Here's my understanding of it:

The bug can be exploited whenever an application that relies on avulnerable version of gdiplus.dll to render jpeg image files onscreen(Or, I suppose, in any other way that gdiplus.dll can be used to processjpegs - I'm not familiar with the GDI+ interface).That includes IE, Office applications, or anything that relies on avulnerable gdiplus.dll file.

What are the ramifications of this?

I think that the predictions of worms based on this are a bitfar-fetched. Would it be possible to create a jpeg that would copyitself to other drives on a shared network in an auto-executableposition? I suppose so... however, it would be noisy and probablywouldn't be amazingly successful. Having a worm installer within a jpegis plausable, though.


I'd consider the following scenarios to be plausable:

      - JPEG in nefarious web page includes malicious code.
      - JPEG in SPAM includes malicious code.
      - JPEG in mass-mailer worm includes malicious code.

- JPEG in ad pop-up/sidebar includes adware/spyware installer.(malicious)- Mass-mailer worm includes an attachment for a known vulnerablethird-party program that trigger the GDI+ vuln. (how sucessful thismight be would depend on the application being attacked.)- Download.Jecht style mass-compromise of websites to embedmalicious code inside of JPEGs.

Those are the most plausable scenarios I can think up for this.Anything else is unlikely in my thoughts.


                  -Barry




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

[Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs milw0rm Inc. (Sep 28)
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs DanB UK (Sep 28)
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs Barry Fitzgerald (Sep 28)
  - RE: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 Geo. (Sep 28)
    - Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 Barry Fitzgerald (Sep 28)
- <Possible follow-ups>
- RE: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs Todd Towles (Sep 29)
  - Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs DanB UK (Sep 29)
  - Message not available
    - Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs GuidoZ (Sep 29)