2

I'm a software engineer and I still don't understand how malware works or what an exploit actually is in software engineering terms. How do the contents of a website, say, or a file attachment to an email, become executable code on a PC?

File formats like HTML, JPEG, MP3, PNG, BMP, etc, are all read by another piece of software and so should only be able to do what that reader allows it to do. Something that reads a JPEG file can basically light up pixels using certain RGB values in a display window; there's nothing in the JPEG spec that says "create a .exe file and put it here in the file system and then execute it". So how do they corrupt a JPEG file to achieve that? Why would a legitimate JPEG reader have the capacity to execute arbitrary code on a PC, and how would those bits get written to the PC?

Even javascript, which is a scripting-language, is still read by an interpreter and doesn't have direct access to the host's file system - it's sandboxed and can't directly write to the host's file system.

Modern programming languages don't even do direct memory access with pointers like we used to with C in the 80's and I assume that the "buffer-overrun" vulnerabilities that existed in the old days are a thing of the past with modern OSes and hardware memory management. So even if I wanted to, I don't know how I would write bits into a block of memory I didn't have legal access to, and even if I managed to do that, how would I trick the OS into treating those bits as executable code and execute them?

So how, exactly, does a nefarious website create executable code on a modern PC with a modern OS?

user316117
  • 159
  • 3
  • 3
    You're assuming all of the things that read/parse/interpret everything from strings to image files to Flash to javascript behave correctly and do not have bugs. Go read the Windows Defender bug for an egregious example: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 You are also discounting the human factor ("click on this spreadsheet/screensaver that I sent you!") which is usually enough. – Joe May 15 '17 at 21:25
  • 2
    Possible duplicate of [How to inject executable, malicious code into PDF, JPEG, MP3, etc.?](https://security.stackexchange.com/questions/8113/how-to-inject-executable-malicious-code-into-pdf-jpeg-mp3-etc) – Anders May 17 '17 at 21:24

2 Answers2

2

Many of the questions in the original post have already been asked and answered elsewhere on this site. Entire books have been written on some of these topics.

I'm a software engineer and I still don't understand how malware works or what an exploit actually is in software engineering terms.

If the definition of what an exploit is in the context of computer security is not clear enough, it may be helpful to look at examples of exploit code. exploit-db is a good resource for this.

File formats like HTML, JPEG, MP3, PNG, BMP, etc, are all read by another piece of software and so should only be able to do what that reader allows it to do. Something that reads a JPEG file can basically light up pixels using certain RGB values in a display window; there's nothing in the JPEG spec that says "create a .exe file and put it here in the file system and then execute it". So how do they corrupt a JPEG file to achieve that? Why would a legitimate JPEG reader have the capacity to execute arbitrary code on a PC, and how would those bits get written to the PC?

How to inject executable, malicious code into PDF, JPEG, MP3, etc.?

How can normal files hide a virus?

Is it possible for a file that is non-executable and read-only to run malicious code?

How can a virus exist in an image?

Modern programming languages don't even do direct memory access with pointers like we used to with C in the 80's and I assume that the "buffer-overrun" vulnerabilities that existed in the old days are a thing of the past with modern OSes and hardware memory management. So even if I wanted to, I don't know how I would write bits into a block of memory I didn't have legal access to, and even if I managed to do that, how would I trick the OS into treating those bits as executable code and execute them?

Stack Overflows - Defeating Canaries, ASLR, DEP, NX

So how, exactly, does a nefarious website create executable code on a modern PC with a modern OS?

How can a modern Windows/Linux system be compromised by a heap overflow in Chrome?

Browser Exploits: Attacks and Defense

The AnC attack

CWE-94: Improper Control of Generation of Code ('Code Injection')

julian
  • 1,279
  • 1
  • 9
  • 15
  • 2
    this is just a long list of links .... – schroeder May 16 '17 at 06:27
  • 1
    @schroeder I can delete it if you wish. It is intended as an extended comment illustrating the fact that the original post consists of duplicate questions and too-broad questions. There are at least 5 questions in the original post. Even the very last question asked is too broad, since browser, operating system, vulnerability and exploit are not specified. This is why I flagged the post as too broad. – julian May 16 '17 at 14:15
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/100561) – Steve May 16 '17 at 15:33
  • @Steve Understood. It should be noted that most links here are to other questions on security.SE (this site) – julian May 16 '17 at 15:42
  • @SYS_V In situations like this - when you think the question is to broad and and there are lots of partial answers around - I think it is better to post the links in comments, and then flagging the question as to broad. – Anders May 17 '17 at 21:19
  • @Anders I thought about doing that, but there were quite a few links to related Q&A and was not sure if they would all fit in a single comment due to the character limit. Since my post here is not actually an answer, should I delete it? I flagged the question as too broad a few days ago. I would rather delete this post than have the more experienced users of the site and the moderators downvote it. I understand why it is being downvoted, and I don't mind deleting it. – julian May 17 '17 at 22:01
  • @SYS_V You can post multiple comments! :-) Not sure if it warrants being deleted, question will be closed soon anyway and you are still on a positive score... So do what you feel like there. Anyway, I appreciate your attitude! – Anders May 17 '17 at 22:23
  • @Anders Understood. Im just a student and you guys are pros, so it does not make sense for me to go against your judgement – julian May 17 '17 at 22:29
0

A very common way to exploit for instance jpeg-viewers and other harmless software tools is to trigger a buffer overflow. And then you could do exerything...

user689443
  • 88
  • 4
  • **As I said in my original question**, I know buffer overflows USED to be common in the old days when people wrote code in C and allocated big blocks of memory and only used parts of it, But modern hardware and runtime environments will trigger a fault if you access memory outside your object so how is a buffer overflow still possible in 2017? – user316117 May 22 '17 at 18:55