[Full-Disclosure] JPEG GDI
str0ke_at_milw0rm.com
Date: 09/28/04
- Previous message: str0ke_at_milw0rm.com: "[Full-Disclosure] How to obtain hostname lists"
- Next in thread: Barry Fitzgerald: "Re: [Full-Disclosure] JPEG GDI"
- Reply: Barry Fitzgerald: "Re: [Full-Disclosure] JPEG GDI"
- Maybe reply: Todd Towles: "RE: [Full-Disclosure] JPEG GDI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 28 Sep 2004 12:51:56 -0500 (CDT)
Berry,
I appreciate the information. I would think newgroup postings would be a
little evil aswell.
str0ke
////////////////
Here's my understanding of it:
The bug can be exploited whenever an application that relies on a
vulnerable version of gdiplus.dll to render jpeg image files onscreen
(Or, I suppose, in any other way that gdiplus.dll can be used to process
jpegs - I'm not familiar with the GDI+ interface).
That includes IE, Office applications, or anything that relies on a
vulnerable gdiplus.dll file.
What are the ramifications of this?
I think that the predictions of worms based on this are a bit
far-fetched. Would it be possible to create a jpeg that would copy
itself to other drives on a shared network in an auto-executable
position? I suppose so... however, it would be noisy and probably
wouldn't be amazingly successful. Having a worm installer within a jpeg
is plausable, though.
I'd consider the following scenarios to be plausable:
- JPEG in nefarious web page includes malicious code.
- JPEG in SPAM includes malicious code.
- JPEG in mass-mailer worm includes malicious code.
- JPEG in ad pop-up/sidebar includes adware/spyware installer.
(malicious)
- Mass-mailer worm includes an attachment for a known vulnerable
third-party program that trigger the GDI+ vuln. (how sucessful this
might be would depend on the application being attacked.)
- Download.Jecht style mass-compromise of websites to embed
malicious code inside of JPEGs.
Those are the most plausable scenarios I can think up for this.
Anything else is unlikely in my thoughts.
-Barry
///////// [EOF] ////////
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: str0ke_at_milw0rm.com: "[Full-Disclosure] How to obtain hostname lists"
- Next in thread: Barry Fitzgerald: "Re: [Full-Disclosure] JPEG GDI"
- Reply: Barry Fitzgerald: "Re: [Full-Disclosure] JPEG GDI"
- Maybe reply: Todd Towles: "RE: [Full-Disclosure] JPEG GDI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
