New JPG exploit?

Discussion in 'other security issues & news' started by MrBrian, Sep 1, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From 4 Image Viewers for Better Photo Viewing and Protection Against JPG Exploit:
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From same author in comments:
     
  3. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Hrm. I find this a tad bit peculiar, but without knowing more details there's really no way to judge what's going on here as anything but hearsay.

    My gut instinct is to say that what the author in question observed was an iteration of the "DLL planting" issue we've seen surface recently. But, again, without more information, it's hard to say anything.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Without more information, it's speculation as to how it is done.


    The fact that this exploit is an update of MS04-028 and that it is triggered only by the MS viewers suggests that the malformed jpeg file triggers a vulnerability in a GDI DLL (buffer overflow) or something similar that only the MS viewers use.

    At that time (2004) hackers were selling a tool to create the malformed jpeg files:

    HTool/Exp-MS04-028
    http://vil.nai.com/vil/content/v_128578.htm

    A search didn't reveal any other analysis of the current exploit. However, I did find this video, but wasn't able to watch it. Someone else can watch it and see if it's related to this one under discussion.

    hxxp://il.youtube.com/watch?v=Id-UYyqGxJY

    ----
    rich
     
  5. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Very interesting, Rmus! I was able to view the video with the same YouTube ID tag at hxxp://www.youtube.com/watch?v=Id-UYyqGxJY . The video shows the supposed exploit in operation, though I think it's different than the one linked in the Opening Post. The one in the YouTube video explicitly shows exploits of FireFox, Google Chrome, and IE8. The video author then claims the exploit will work in "Operah" [sic], and asks for $500. Validity of the exploit is unknown, as not much was shown beyond opening an image in the browser and then seeing a connection pop up in another window. Because the video seems to leverage more than just the Windows Image viewer, I'd say it's probably a different beast.

    I'm not an expert, though, so I'm not sure how valid the "exploit" in the video was. There was a link shown to the (then live) JPG used to leverage the attack, so examining that file might be possible... but I know better than to post it here, even if it's fake!
     
  6. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Do you mean windows photo gallery to view pictures? Thanks for posting I d/l XnView.
     
Loading...
Thread Status:
Not open for further replies.