Slashdot Log In
Public Exploit For Windows JPEG Bug
Posted by
michael
on Thu Sep 23, 2004 07:07 AM
from the here-comes-the-worm dept.
from the here-comes-the-worm dept.
Khoo writes "A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software. Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file." We mentioned this earlier.
This discussion has been archived.
No new comments can be posted.
Public Exploit For Windows JPEG Bug
|
Log In/Create an Account
| Top
| 509 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Knew it (Score:3, Funny)
Re:Knew it (Score:4, Funny)
(http://joe-baldwin.net/ | Last Journal: Saturday September 02 2006, @11:58AM)
Everyone knew it (Score:5, Funny)
(http://plato.stanford.edu/ | Last Journal: Tuesday March 15 2005, @10:46AM)
Everyone knew it was a backdoor.
Almost... (Score:3, Interesting)
(http://linuxette.com/ | Last Journal: Tuesday April 26 2005, @07:00AM)
Re:Almost... (Score:5, Informative)
Tell your management to turn off the Netegrity/windows authentication and use Netegrity form authentiation over SSL. Also, there is no reason why your users cannot user Firefox/Mozilla since it has had cross-platform support for Windows authentication for a few versions now.
Re:Almost... (Score:5, Insightful)
(http://www.drone-alliance.org/)
Microsoft patches (Score:4, Funny)
Re:Almost... (Score:5, Interesting)
Also those who use Firefox may not be 100% protected, because consider this scenario.
1. Install Firefox
2. Set Firefox as default browser
3. Use MSN Messenger.
4. MSN messenger pops up "you have new hotmail"
5. Click link to see new mail, MSN Messenger opens up in INTERNET EXPLORER despite setting firefox as the default browser.
6. You are owned.
I am more concerned that after this, people may even mistakenly critisize Firefox, thinking that Firefox was there default browser, and that they got infected via firefox, instead of IE.
"I set up this firefox thingie, and set it as a default browser, yet I still have a virus, by just reading my email. Firefox is just as bad as IE"
A second attack vector could be to change the mimetype of the JPEG, causing Firefox to download, then open it in the system handler for JPEGS.. and a possibility of being owned that way.
Still this may also be very good grounds for a class action against MS, as they are not honouring a users request NOT to use IE.
This all goes to prove, MS is a security hole, that can even make secure applications appear insecure
Ow, my head hurts from thinking of this.. let me get some Paracetamol.
Re:Almost... (Score:5, Informative)
(http://sitetheory.com/ | Last Journal: Friday October 24 2003, @10:59AM)
1) go close msn messenge
2) go to c:\program_files\messenger
3) rename that directory to something else.
4) Msn won't start up again. yay!
Why anyone would use msn messenger is beyond me, I hate that thing. It's more annoying than clippy. They just need a soundbyte with it that yells "you've got spam!" and it'll be complete.
Re:Almost... (Score:5, Informative)
(Last Journal: Monday September 25 2006, @01:19PM)
rundll32 advpack.dll,LaunchINFSection %systemRoot%\INF\msmsgs.inf,BLC.Remove
Re:Almost... (Score:4, Interesting)
(http://www.getfirefox.com/ | Last Journal: Wednesday October 05 2005, @08:47PM)
I suggest you check out a pair of wonderful little tools called StartupMonitor [mlin.net] and Startup Control Panel [mlin.net]. The former will alert you when things try to register themselves as 'auto-startup' items in the registry and give you the option to shoot them down, and the latter will allow you to unregister already existing auto-startup items in the approximately seven different places they can lurk. It is very useful for eliminating and avoiding problems like this.
Re:Almost... (Score:4, Insightful)
(http://www.tape.ca/)
Re:Almost... (Score:5, Informative)
OL2003 has image loading off by default. "RightClick to display this image."
Of course, most people are on earlier versions, but at least MS is putting in an effort to stem the tide.
Re:Almost... (Score:5, Insightful)
Switch to Firefox?! Why, what's that gonna do for you? The exploit is in almost every major app Microsoft makes that handles any graphics, including Windows itself, .Net Framework, all Office products, etc.
People are so quick to blame IE when there's so many other products they can go after. ;)
Re:Almost... (Score:5, Informative)
Before we get too smug, the article (anyone read those?) did mention an (albeit unrelated) vulnerability in Moz amongst others (PNG support) from August. Reproduced below.
To avoid getting the flameproofs on, I should point out that Firefox is my browser of choice. But let's avoid the whole stones and greenhouses scenario, yeh?
update Six vulnerabilities in an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.
The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.
Among the programs that use libPNG and are likely to be affected by the flaws are the Mail application on Apple Computer's Mac OS X, the Opera and Internet Explorer browsers on Windows, and the Mozilla and Netscape browsers on Solaris, according to independent security researcher Chris Evans, who discovered the issues.
Re:Single sign-on for a browser? (Score:4, Informative)
(http://www.myspace.com/paulcardno)
An example being that I log into my laptop on the corporate network in the morning, but then never need to log into our Intranet. It uses my Active Directory credentials to figure out who I am, so displays my own customised and personalised Intranet settings.
I'm not too sure how it works but it's very handy!
Patch is Already Out (Score:5, Informative)
(http://willdotcom.bl.../just_a_coincidence/ | Last Journal: Sunday September 05 2004, @07:19PM)
Code is always buggy. Even Firefox had a JPEG vulnerability of its own. This is dumb ownership, if this bug becomes prevalent.
Re:Patch is Already Out (Score:5, Funny)
(http://www.caldera.com/?sco=litigious+bastards)
Re:Patch is Already Out (Score:5, Insightful)
(http://willdotcom.bl.../just_a_coincidence/ | Last Journal: Sunday September 05 2004, @07:19PM)
This is dumb ownership, if this bug becomes prevalent.
Phew... I was worried there for a second. It's a good thing we can rely on Windows users to not be dumb, otherwise the Internet would be bogged down in viruses, spyware, and spam.
Well, most users are, uh, stupid. Even if we used Linux, in order to make it simple enough to use, there will be vulnerabilities. For example, getting people to use "sudo" with a limited account makes sense to you and me, but might confuse the heck out of some newbie in Tennessee.
So it is not a Windows-specific problem. If Linux ever becomes popular as a desktop platform, we will then have dumb Linux users.
Re:Patch is Already Out (Score:5, Informative)
(Last Journal: Wednesday August 14 2002, @12:33PM)
Actually, it's a buffer overflow. A buffer overflow means that there is some area of memory reserved for some data, and then there's more data written to it than fits in. This causes some other data to be overwritten; if that other data happens to be a return address (basically a number which tells the computer where to continue after finishing the current task), then you can get the computer to execute arbitrary code which is in memory - including the code you just conveniently placed into the memory as "image data".
I don't know details of the JPEG image format, but with a simple bitmap format, a buffer overflow might happen as follows:
The image contains the number of pixels, and the bytes per pixel. The program takes those numbers, multiplies them, and reserves that much memory to take the pixel values. Then it reads the rest of the file as image data into that memory.
Now, this simple program for this simple image format may be easily exploited: Just put more data into the image than the product of number of pixels and bytes per pixel. Then the program as written will not reserve enough memory for that data (because the values at the beginning don't tell the truth), and therefore the data will overwrite anything following the data.
Ok, the fix is easy: Don't read more data than you allocated memory for. The problem is that on one hand, there are C standard functions which make it easy to get that wrong, and second, there can be more subtle ways to produce the same result. For example, the multiplication could overflow, resulting in too little memory being allocated, while the given number of pixels is read in (under the believe that you have reserved enough memory for that).
And yes, buffer overflows happen in open source software as well as in Microsoft software.
Re:Patch is Already Out (Score:5, Informative)
It isn't sloppy programming as much as the rules having changed. It used to be that you'd write an image decoder (or *any* program that reads an external file format), and you'd either (a) assume that the file structure is correct (because if it isn't, then it had to be created by a bad encodder), or (b) do some rudimentary checking to catch basic problems (such as a missing file id tag in the first bytes). And the worst that could usually happen was that your decoder would crash or become unstable. Really, this is how things have been, how coders have worked. Remember, it applies to every single type of external data read into a program: serialized data saved by library classes in C++, Python, etc., bytecode files read by a virtual machine or other interpreter, help file indices, intermediate object files...everything.
Moreso, just because you don't have buffer overruns doesn't mean you're in the clear. You have to check for tremendous files, too. What if someone passes you an image file that's correct and compressed, but decompresses into a 100,000 by 100,000 32-bit image? Even if you had the memory to decode a large file, the resources it takes up makes it essentiallly a denial of service attack.
These are tough issues.
PNG too? (Score:4, Interesting)
(http://www.cordula.ws/)
What about the vuln. in the PNG libs? Any exploit in the wild?
Re:PNG too? (Score:5, Informative)
Windows JPEG: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028) [k-otik.com]
Qt BMP: Qt 3.x bmp image parsing local buffer overflow Exploit [k-otik.com]
XV BMP XV v3.x bmp parsing local buffer overflow Exploit [k-otik.com]
GV Postscript: GV PostScript Viewer Remote Buffer overflow Exploit [k-otik.com]
LibPNG: LibPNG Graphics Library Remote Buffer Overflow Exploit [k-otik.com]
Spammers (Score:5, Interesting)
Re:Spammers (Score:5, Informative)
(http://spookyworld.dnsalias.com/)
HTML-formatted email + Outlook = Bad day for Grandma.
Re:I cannot help but grin ... (Score:5, Insightful)
(http://nerds.palmdrive.net/)
Everyone is entitled to its own suspicion.
The level of polish and craftsmanship of open source software
As opposed to the level of polish and craftmanship of Microsoft's products, of which you know nothing. So you are comparing apples to
Re:I cannot help but grin ... (Score:5, Interesting)
(http://seankelly.biz/)
As a user of Microsoft products, I witness their lack of stability, their tendency to crash or exhibit bugs, and their uncanny ability of corrupting user data, and so forth. After putting up with them for so long, I know quite a bit about them.
Moreover, I used to be an employee. I worked at the Redmond campus. I know both the quality exhibited on the outside, and the quality that goes into the products on the inside.
I do indeed know something.
Can someone confirm... (Score:3, Interesting)
Is the JPEG rendering in Firefox running on Windows independent of any underlying MS library and is therefore not affected?
Re:Can someone confirm... (Score:4, Informative)
(http://willdotcom.bl.../just_a_coincidence/ | Last Journal: Sunday September 05 2004, @07:19PM)
It is independent of all MS libraries. The recent JPEG vulnerability in Firefox is a separate issue. Firefox is OSS, and thus cannot use closed-source libraries such as the MS one in trouble.
Re:Can someone confirm... (Score:5, Informative)
(http://locut.us/~ian/blog/ | Last Journal: Wednesday April 20 2005, @02:26PM)
Re:So what? Burn all JPEGs day? (Score:5, Informative)
(http://www.hylobatidae.org/minerva/)
Well, you could, but don't forget the recent bugs in libpng [slashdot.org]...
Related links? (Score:5, Interesting)
(http://calum.org/)
. Bug whitepapers
. Best deals: Bug
. More Bug stories
. Security whitepapers
. Best deals: Security
. More Security stories
. Windows whitepapers
. Best deals: Windows
. More Windows stories
. Microsoft whitepapers
. Best deals: Microsoft
When did that start happening?
Re:Related links? (Score:4, Funny)
Wow, those are some pretty nice jpegs! I expecially like the ~~~.&!# No carrier
Are you patched? (Score:5, Interesting)
(http://www.dshield.org/)
ISC Diary [sans.org]. Note that now there is a script to generate images to add an Admin level user (username "X").
Not too long until we see a remote shell.
Some people are tlaking about seeing it used in an MSN Messenger worm.
The hard part about patching this one is that a lot of third party software may overwrite the Windows JPEG GDI library with its own older version
Re:Are you patched? (Score:5, Funny)
(http://www.ajs.com/~ajs/)
And therein lies the rub. For the people that write these things, it's reaching the point of diminishing returns in terms of getting the tools installed that they need in order to efficiently, remotely manage these boxes. It was all fun and games when you just wanted 10,000 boxes to send out ping-of-deaths or SYN floods, but now you have to manage a farm of zombies and get real work out of them. The competition is fierce and the other guy is trying just as hard as you are to get large-scale admin working, and of course, like all large-scale Windows installations, they're finding that this sucks.
Several things would help:
* A virtual OS layer is needed so that the user can have Windows for their games, but the crackers can do their admin from a maintainable OS. Heck, even DOS would be more managable.
* Users should make themselves available to the crackers for physical admin needs like reboots.
* Microsoft needs to stop pushing these auto-updates. It's not as if the crackers can't find new holes faster than MS can push the updates, but the rapid change to an installed base is just too difficult to remotely manage. Bill: you're killing profits here!
Overall, we just need to start making doing business on the Internet more friendly. I don't understand why people can't understand this!
PS:
safe sex (Score:5, Funny)
patch has been available for a while now (Score:5, Informative)
(Last Journal: Monday August 23 2004, @03:25PM)
And it actually works fairly well. It scans for any program that reads these files and makes sure they don't have the bug in them. If it can't patch them, it bugs you about it so you can find a fix for the app. Only Microsoft apps of course, I don't think Adobe wants Microsoft pushing out software updates for them.
Most of the users I have to support aren't savvy enough to add a printer (omg, with active directory it's like 3 mouse clicks) or install software or apply updates (we use some banking software and it notifies you with a text box to click "OK" and then "File, Update" but I still get called on it every time). That's why at our offices we use Microsoft System Update Server (SUS). It lets us approve patches and then roll them out to all the clients in the domain automagically.
I shudder to think what would happen if I tried to roll out firefox or mozilla to everyone. I'd probably get calls that their "e" was missing and they couldn't connect to the internet. I swear, some people just shouldn't be on computers.
hmm someone predicted this (Score:5, Insightful)
(Last Journal: Wednesday May 16 2007, @12:43PM)
Re:hmm someone predicted this (Score:5, Informative)
Hard to patch (Score:5, Interesting)
So don't sit there on an SP2 system and consider yourself safe. There is more than likely a whole host of ActiveX controls just waiting to be called and exploited by this bug.
Also note that some applications written in Visual Basic can also be exploited.
Let me get this right... (Score:3, Interesting)
(http://www.londonscalextricclub.co.uk/)
THIS HAS NOT BEEN FIXED, url inside (Score:5, Interesting)
will crash IE on an updated xp sp2 system.
Re:THIS HAS NOT BEEN FIXED, url inside (Score:5, Insightful)
(http://www.vanbest.org/janpascal/)
Re:THIS HAS NOT BEEN FIXED, url inside (Score:4, Interesting)
will crash IE on an updated xp sp2 system.
It also crashes a Win2K system, which is NOT AFFECTED according to the original MS announcement.
Use safe languages for libraries? (Score:3, Interesting)
(Last Journal: Sunday October 03 2004, @04:03AM)
Ocaml is pretty fast, but I realize that not everyone wants the runtime. How about cyclone [harvard.edu]? It's an extended version of C that's backwards compatible with C, but can pick up unsafe errors at compile time -- sounds pretty much like what folks might want.
AutoUpdate not good enuff (Score:5, Informative)
WindowsUpdate does install a "GDI+ Detection Tool", but I have run this tool on systems with unpatched Visual Studio, Outlook, and Office and it does not detect that the patches are missing. I looked at the strings in this tool, and it basically looks like it checks for MS Photo software.
Manually visiting "officeupdate.microsoft.com" and running those updates will probably cover the most common attack vectors (Outlook, Word), but how many people do this on a regular basis? My users are not admin-level (yet) so they can't use this update site.
Incidentally, every default configuration of IE/Word I have seen allows DOC files with jpegs to be opened in the browser window with no prompting. It will not be hard to get people to run the exploits, and there's plenty of ways for worms to automate themselves without users opening things.
I'm working on a script to detect and run the patches (there's about 17 of them for this bug) but it's going to be a while because of the pre-reqs for many of the patches, and the very specific revisions that must match the patch. "If Visio 2002 is installed, detect which Visio SP level is running. If it's SP0 or SP1, run Visio SP2, then reboot, and run GDI patch"...
Sorry if I'm spreading panic, but this bug sucks.
"Don't look, Ethel!" (Score:4, Funny)
Better make sure... (Score:3, Funny)
I better make sure to convert all of my porn to
OSS browsers have similar probs (Score:4, Informative)
(Last Journal: Saturday January 06 2007, @01:13AM)
Meanwhile what you can do is to run each program as a different more restricted user.
On windows XP, run IE with using a shortcut with a runas with savecred (you should modify those in the start menu and quick launch too), and set it so it runs using a very restricted account. The restricted account should either have access to your bookmarks, history and temporary files, or you should run it so it changes to the restricted user's home directory and you allow your main account access to the restricted user's home directory.
Look up the runas command for the options. It'll be more convenient on WinXP since there's the savecred feature.
On UNIX, I think you can use sudo or something similar. Sudo to a restricted account and then run the browser.
This way, if your program gets exploited it can only ruin what the restricted user has access to, it can't easily touch the rest of the system.
Exploits can still theoretically touch the rest of the system since there's stuff like shatter attacks (for windows, not sure about KDE/GNOME), and I'm sure display drivers have bugs of their own and they run in ring 0 (on windows).
But if you do this it raises the bar significantly.
There are other options if you're really paranoid and don't mind the extra effort.
He knew it... (Score:5, Interesting)
When we were leaving his room he gave us this advice: "Beware the JPEG virus". It was 9 years ago and he was quite old and sometimes he acted/talked nonsense so we made fun of his advice (we thought: since it was not an executable file, how could it bring a virus): but he was right and we were wrong..
pr0n (Score:5, Funny)
(http://www.western-alliance.net/lordprox/)
Patch is already out (Score:5, Informative)
Also, if you have SP2 or uh, don't use MS software, you're fine
Re:Patch is already out (Score:5, Informative)
Where is the downloadable link to the second proof of concept code?
Here's the link to the first POC:
http://www.gulftech.org/?node=downloads [gulftech.org]
The first POC just generates the buffer overflow crash. Interesting enough, on an unpatched system, just having the jpg on your desktop caused by explorer to crash - repeatedly. I am assuming as XP tried to generate the thumbnail. However, if viewed through a web page, I could view it fine.
I've been looking for the second POC code since yesterday. It supposedly opens a cmd prompt when the crafted jpg is viewed.
AC
Re:Patch is already out (Score:5, Informative)
(http://evilempire.ath.cx/)
You can find it all there, including a C program that fires off a local cmd shell.
Only for use as a security lesson and ethical hacking.
Re:Patch is already out (Score:4, Informative)
(http://www.normanonline.co.uk/)
Re:Patch already out (Score:3, Informative)
Of course here, is this place --> here [microsoft.com]
I knew that preview button was good for something