0

A recent bug in Android allows a hacker to execute code that is contained within an image file. Here is the quote from the Android Security Bulletin,

The most severe vulnerability in this section could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process

From a somewhat related question which asks about a code within pdf,

If a file name has the word "exe" somewhere within, has not bearing on what file type it is, and it does not change how the operating system would handle that file. If file identification tools says this is a pdf, it probably is a pdf.

That said, pdf files can theoretically be crafted to exploiting bugs in pdf > readers.

What I understand is that an OS will not execute a code within a file if it is not a executable type. Any application handling file may execute the code. In this bug the OS itself executes code from a non-executable file type.

So how is the code in the PNG file getting executed by the OS?

Kolappan N
  • 2,672
  • 14
  • 27
  • 1
    It is not the OS (kernel) which is executing this code. But the advisory clearly says that *"... allow a remote attacker using a specially crafted PNG file to execute arbitrary code __within the context of a privileged process__"*. Thus, there need to be a vulnerable (i.e. croaks on specific PNG) but privileged process and the attacker must be able to share the PNG with this process. – Steffen Ullrich Feb 08 '19 at 11:56

2 Answers2

2

Looks that the bug is on the application that reads the PNG file. This works in the same way with vulnerabilities on pdf files, the vulnerability is on the application that process that file not on the operating system. So if the vulnerable application process the png file and have an issue with some crazy buffer that allows to execute binary code or other type of code, that code will be executed because is on the same execute environment of the application that is vulnerable. Hope this clarify your question.

camp0
  • 2,182
  • 1
  • 11
  • 10
1

Such a scenario works like this:

  • in a different type of file there's hidden code (like a .pdf, etc.)

  • that code is actually a function that reads/decrypts the encrypted content added to a .png and acts like a launcher

  • if initial code does not run, the encrypted content can't be decoded and launched

In the case you mentioned, the attackers found a way to use the operating system's .png read functions to run code hidden in the .png file, therefore not needing the pre-launch file/code. The OS's own functions act (are being exploited) as launchers.

Overmind
  • 8,829
  • 3
  • 19
  • 28