Finjan Security Advisory: JPEG Exploit Used Remotely (Demonstration)

From: Rafel Ivgi, The-Insider (rivgi_at_FINJAN.COM)
Date: 09/29/04

  • Next message: Russ: "Re: Need to purge vulnerable gdiplus.dll?"
    Date:         Wed, 29 Sep 2004 02:56:10 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Finjan Software, Inc. Security Advisory
    Exploiting MS04-028 vulnerability
    Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution

    Release Date
    September 29, 2004.

    Severity:
    Critical (Potential image-based worm)

    Introduction
    Since the publication of the MS04-028 security bulletin, no remote code
    execution based on this vulnerability has yet been demonstrated. Finjan
    Software MCRC (Malicious Code Research Center) has identified several
    methods to launch such a remote attack.
    Finjan has published a demonstration film of the infection process that
    appears at:
    http://www.finjan.com/SecurityLab/AttackAndExploitReports/jpeg_vulnerability_demo.htm

    It should be noted that this new method is a new, more advanced exploit than
    the “JPEG vulnerability” published by Microsoft. The additional serious risk
    introduced by this exploit is that it allows an attacker to remotely take
    over the victim’s PC by having the user simply browse a web page that
    contains the malformed image file using Internet Explorer. In contrast, the
    previous vulnerability did not expose Internet Explorer to this attack: in
    order to be contaminated, the user had to obtain the malformed image file by
    Email, or to otherwise save it to the local disk, and then view the image by
    one of the software products that are vulnerable to this threat. In other
    words, the previous vulnerability required some degree of “social
    engineering” to make the user perform an operation that triggers the attack.
    Conversely, this new method pointed out by Finjan affects any user who
    merely browses the malicious page.

    Scope
    This attack is triggered by the following events:
    - Viewing a malicious web page or an infected HTML formatted E-Mail message.
    - Invoking the common Microsoft Windows "File Open" dialog on a directory
    that contains infected JPEG pictures.

    This exploit applies to JPEG-format files in all the following extensions.
    In other words, JPEG files which have been renamed to one of the following
    file extensions are also dangerous:
    .jpg
    .jpeg
    .jpe
    .jfif
    .bmp
    .dib
    .emf
    .gif
    .ico
    .png
    .rle
    .tif
    .tiff
    .wmf

    Technical details
    Specific technical information will not be released at this stage.

    Demonstration
    A film that demonstrates this attack can be downloaded at:
    http://www.finjan.com/SecurityLab/AttackAndExploitReports/jpeg_vulnerability_demo.htm

    Protection
    Finjan Software Vital SecurityTM products proactively protect against this
    vulnerability.

    Credit
    Rafel Ivgi, The-Insider
    Malicious Code Research Center (MCRC) department
    Finjan Software Inc.

    http://www.finjan.com/mcrc
    Prevention is the best cure!

    *********************************************************************************
    Finjan Software

    This e-mail and any attached files are confidential and may be legally
    privileged. The unauthorized use, disclosure or copying of this email or
    any information contained within it is strictly prohibited. This also
    confirms that Finjan Software's Vital Security for E-Mail has scanned this
    message for the presence of known viruses and potentially malicious
    code.

    Finjan Software - Prevention is the Best Cure!
    *************************************************************************************

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Russ: "Re: Need to purge vulnerable gdiplus.dll?"