Vulnerability Development mailing list archives

Re: Infected jpeg files?

From: HackHawk <hugh () hackhawk net>
Date: Fri, 09 Nov 2001 21:40:16 -0800

This (finding an algorithm flaw) is the most interesting post I've seenabout infecting JPEG images.

However, I've seen no mention of files on the Macintosh. Isn't it truethat on a Macintosh, you can give an executable file ANY extension youwant? And isn't it also true that you can associate ANY image you wantwith your executable file?

A MAC friend of mine once showed me how he got somebody to open a MacScript file because the target thought it was a zipped archive of somesort. The script setup a special access password on the targets system,then downloaded and opened the actual archive from somewhere else.

I spent a few hours attempting to create such a file using Code Warrior onthe MAC a few months back, but due to lack of time gave up the effort. Iwas able to name an executable with any extension I wanted (.JPG to beprecise), but I was never able to associate the image I wanted with theexecutable file.


Any MAC people want to correct my belief if it is incorrect?

- hh

At 09:13 AM 11/9/01 -0800, J Edgar Hoover wrote:

On Tue, 6 Nov 2001 jove () gaza halo nu wrote:

>       If there was some sort of buffer overflow/other way of causing the
> code to function in a manner inconsistant with it's design due to the
> content/formatting of the .jpg image then yes, there could be a payload
> designed to be set off upon viewing of the .jpg image.  Otherwise, the
> .jpg image specifies (simplified) values of pixels in a compressed format
> and thus the .jpg specification does not include the ability to run code
> by default.

The most likely route to an overflow is probably through one of the
compression algorithms. Something similar to the massively compressed huge
file that DoS'es antivirus scanners.

Find a bug in any one of the "family of compression algorithms" supported
by the standard that allows you to write 'image data' past the end of the
allocated buffer.

Cross-platform shellcode written to the most likely offsets for common
architectures could effect a lot of boxes.

I'll bet the specs aren't available online for a reason. ;]

If anybody can fork me a copy, I'll work on a proof of concept.

z

Current thread:

Infected jpeg files? rginski (Nov 08)
- Re: Infected jpeg files? Chris D. Sloan (Nov 08)
  - Re: Infected jpeg files? Blue Boar (Nov 09)
- Re: Infected jpeg files? jove (Nov 09)
  - Re: Infected jpeg files? J Edgar Hoover (Nov 09)
  - Message not available
    - Re: Infected jpeg files? HackHawk (Nov 09)
    - Re: Infected jpeg files? Rob Salmond (Nov 10)
    - Re: Infected jpeg files? (viruses) Jonathas Diogenes Castello Branco (Nov 10)
    - Re: Infected jpeg files? Brad (Nov 10)
- Re: Infected jpeg files? J Edgar Hoover (Nov 09)
- Re: Infected jpeg files? Mathias Dybvik (Nov 09)
- Re: Infected jpeg files? terry white (Nov 09)
  - Re: Infected jpeg files? H C (Nov 09)
    - Re: Infected jpeg files? Thor (Nov 09)
- <Possible follow-ups>
- RE: Infected jpeg files? OBrien, Brennan (Nov 08)
  - RE: Infected jpeg files? Oliver Petruzel (Nov 09)

(Thread continues...)