Finjan Security Advisory: JPEG Exploit Used Remotely (Demonstration)

• Previous message: Jack Kohn: "Need to purge vulnerable gdiplus.dll?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 29 Sep 2004 02:56:10 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Finjan Software, Inc. Security Advisory
Exploiting MS04-028 vulnerability
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution

Release Date
September 29, 2004.

Severity:
Critical (Potential image-based worm)

Introduction
Since the publication of the MS04-028 security bulletin, no remote code
execution based on this vulnerability has yet been demonstrated. Finjan
Software MCRC (Malicious Code Research Center) has identified several
methods to launch such a remote attack.
Finjan has published a demonstration film of the infection process that
appears at:
http://www.finjan.com/SecurityLab/AttackAndExploitReports/jpeg_vulnerability_demo.htm

It should be noted that this new method is a new, more advanced exploit than
the “JPEG vulnerability” published by Microsoft. The additional serious risk
introduced by this exploit is that it allows an attacker to remotely take
over the victim’s PC by having the user simply browse a web page that
contains the malformed image file using Internet Explorer. In contrast, the
previous vulnerability did not expose Internet Explorer to this attack: in
order to be contaminated, the user had to obtain the malformed image file by
Email, or to otherwise save it to the local disk, and then view the image by
one of the software products that are vulnerable to this threat. In other
words, the previous vulnerability required some degree of “social
engineering” to make the user perform an operation that triggers the attack.
Conversely, this new method pointed out by Finjan affects any user who
merely browses the malicious page.

Scope
This attack is triggered by the following events:
- Viewing a malicious web page or an infected HTML formatted E-Mail message.
- Invoking the common Microsoft Windows "File Open" dialog on a directory
that contains infected JPEG pictures.

This exploit applies to JPEG-format files in all the following extensions.
In other words, JPEG files which have been renamed to one of the following
file extensions are also dangerous:
.jpg
.jpeg
.jpe
.jfif
.bmp
.dib
.emf
.gif
.ico
.png
.rle
.tif
.tiff
.wmf

Technical details
Specific technical information will not be released at this stage.

Demonstration
A film that demonstrates this attack can be downloaded at:
http://www.finjan.com/SecurityLab/AttackAndExploitReports/jpeg_vulnerability_demo.htm

Protection
Finjan Software Vital SecurityTM products proactively protect against this
vulnerability.

Credit
Rafel Ivgi, The-Insider
Malicious Code Research Center (MCRC) department
Finjan Software Inc.

http://www.finjan.com/mcrc
Prevention is the best cure!

*********************************************************************************
Finjan Software

This e-mail and any attached files are confidential and may be legally
privileged. The unauthorized use, disclosure or copying of this email or
any information contained within it is strictly prohibited. This also
confirms that Finjan Software's Vital Security for E-Mail has scanned this
message for the presence of known viruses and potentially malicious
code.

Finjan Software - Prevention is the Best Cure!
*************************************************************************************

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: Jack Kohn: "Need to purge vulnerable gdiplus.dll?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]