Full Disclosure mailing list archives
Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Tue, 28 Sep 2004 13:05:45 -0400
milw0rm Inc. wrote:
JPEG GDI problem, Isn't this problem only capable of running if the jpeg was opened via the users actions? Is it possible that webpages could be effected with jpegs with internet explorer viewing them? I wouldn't think so since what I have read from multiple peoples articles that it isn't this kind of bug. Info needed. Regards, str0ke
Here's my understanding of it:The bug can be exploited whenever an application that relies on a vulnerable version of gdiplus.dll to render jpeg image files onscreen (Or, I suppose, in any other way that gdiplus.dll can be used to process jpegs - I'm not familiar with the GDI+ interface). That includes IE, Office applications, or anything that relies on a vulnerable gdiplus.dll file.
What are the ramifications of this?I think that the predictions of worms based on this are a bit far-fetched. Would it be possible to create a jpeg that would copy itself to other drives on a shared network in an auto-executable position? I suppose so... however, it would be noisy and probably wouldn't be amazingly successful. Having a worm installer within a jpeg is plausable, though.
I'd consider the following scenarios to be plausable: - JPEG in nefarious web page includes malicious code. - JPEG in SPAM includes malicious code. - JPEG in mass-mailer worm includes malicious code.- JPEG in ad pop-up/sidebar includes adware/spyware installer. (malicious) - Mass-mailer worm includes an attachment for a known vulnerable third-party program that trigger the GDI+ vuln. (how sucessful this might be would depend on the application being attacked.) - Download.Jecht style mass-compromise of websites to embed malicious code inside of JPEGs.
Those are the most plausable scenarios I can think up for this. Anything else is unlikely in my thoughts.
-Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs milw0rm Inc. (Sep 28)
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs DanB UK (Sep 28)
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs Barry Fitzgerald (Sep 28)
- RE: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 Geo. (Sep 28)
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 Barry Fitzgerald (Sep 28)
- RE: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 Geo. (Sep 28)
- <Possible follow-ups>
- RE: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs Todd Towles (Sep 29)
- Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1933 - 20 msgs DanB UK (Sep 29)
- Message not available