Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20 msgs

From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: 09/28/04

Next message: str0ke_at_milw0rm.com: "[Full-Disclosure] How to obtain hostname lists"

Previous message: fabio: "Re: [Full-Disclosure] How to obtain hostname lists"
In reply to: milw0rm Inc.: "[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20 msgs"
Next in thread: Geo.: "RE: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20"
Reply: Geo.: "RE: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "milw0rm Inc." <milw0rm@gmail.com>
Date: Tue, 28 Sep 2004 13:05:45 -0400

milw0rm Inc. wrote:

>JPEG GDI problem,
>
>Isn't this problem only capable of running if the jpeg was opened via
>the users actions?
>
>Is it possible that webpages could be effected with jpegs with
>internet explorer viewing them? I wouldn't think so since what I have
>read from multiple peoples articles that it isn't this kind of bug.
>
>Info needed.
>
>Regards,
>str0ke
>
>
>
>
Here's my understanding of it:

The bug can be exploited whenever an application that relies on a
vulnerable version of gdiplus.dll to render jpeg image files onscreen
(Or, I suppose, in any other way that gdiplus.dll can be used to process
jpegs - I'm not familiar with the GDI+ interface).

That includes IE, Office applications, or anything that relies on a
vulnerable gdiplus.dll file.

What are the ramifications of this?

I think that the predictions of worms based on this are a bit
far-fetched. Would it be possible to create a jpeg that would copy
itself to other drives on a shared network in an auto-executable
position? I suppose so... however, it would be noisy and probably
wouldn't be amazingly successful. Having a worm installer within a jpeg
is plausable, though.

I'd consider the following scenarios to be plausable:

       - JPEG in nefarious web page includes malicious code.
       - JPEG in SPAM includes malicious code.
       - JPEG in mass-mailer worm includes malicious code.
       - JPEG in ad pop-up/sidebar includes adware/spyware installer.
(malicious)
       - Mass-mailer worm includes an attachment for a known vulnerable
third-party program that trigger the GDI+ vuln. (how sucessful this
might be would depend on the application being attacked.)
       - Download.Jecht style mass-compromise of websites to embed
malicious code inside of JPEGs.

Those are the most plausable scenarios I can think up for this.
Anything else is unlikely in my thoughts.

-Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: str0ke_at_milw0rm.com: "[Full-Disclosure] How to obtain hostname lists"

Previous message: fabio: "Re: [Full-Disclosure] How to obtain hostname lists"
In reply to: milw0rm Inc.: "[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20 msgs"
Next in thread: Geo.: "RE: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20"
Reply: Geo.: "RE: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]