What exactly happens when someone injects malicious binary code into an image file (on Windows)? How is that done?
-
1Are you talking about injecting binary code (malware?) or you mean something like HTML code injection attacks (then Windows has no sense)? Also, corrupted image is not the case for successful attack - it can remain still valid. – Nov 21 '10 at 00:50
-
@Ams - I mean binary code. – Moshe Nov 21 '10 at 00:51
4 Answers
Such an attack relies on the image parser containing a bug that allows the execution of what would otherwise be a slightly wacky picture.
For example, instead of "red" being interpreted as a color, the computer may try to interpret it as a shell command.
- 1,131
- 8
- 8
-
-
-
Are you saying a non-buggy image parser would be 100% safe from *chameleon* files? – Pacerier Jul 21 '12 at 04:15
Much more common than a buffer-overflow type bug that @Zian mentions (though I think there was a WMF vuln of this sort in Windows as recently as 4-5 years ago), is something like GIFAR (also search on SO):
a file that is both a valid image file (e.g. GIF), and a valid ZIP file (e.g. JAR (compiled java bytecode)).
This is possible because of the way these formats store their headers: specifically, they are not mutually exclusive.
So you can have a file that passes all validity checks you do, and yet when it is displayed in the browser the java code is executed (because, well, you just downloaded a valid JAR file, dincha?)
To the best of my knowledge, this has been fixed by the major vendors, but I admit I'm not really up to date.
(The original discoverer of GIFAR can be found here.)
-
1I remember GIFAR vulnerability to be snakeoil. The JAR in GIF part is only valuable for an attacker in combination with XSS to load the uploaded JAR/GIF file. I believe the goal here was for the attacker to load a java applet with same-domain policy "bypassed". – Dog eat cat world Nov 03 '11 at 07:52
-
Not snakeoil at all, as you said it allows loading an applet (as an example, mind you) regardless of domain. Moreover, anywhere you can upload a GIF file for others to view, you can upload a GIFAR instead, and thus run an applet on your victims' browsers. You don't even really need XSS, since it's already being loaded. – AviD Nov 03 '11 at 11:44
-
I remember I did some testing when this was new, and the only way I managed to get the gifar to run, was with
html tags. tags never loaded the applet. – Dog eat cat world Nov 03 '11 at 11:50
I assume when you say "image" you mean something like a JPEG or a GIF.
The answer is that older software has bugs such that when they display the image, they can get confused. For example, images have comment fields inside them that are usually not displayed, but can contain things like the GPS coordinates of the iPhone camera that took the picture. Typical software expect that these comments will never exceed 100 characters, but a hacker can do something ridiculous like making a 10,000 character comment. Software should safely reject this, but some don't, they have a bug where these unexpected characters overflow into other areas of memory. If the hacker crafts those 10,000 bytes just right, he can cause the buggy software to run code.
Just because we humans expect those comments to be short, English text, doesn't stop the hacker from putting in long, executable code into those fields.
There are a lot of different pieces of code that might have such bugs, from MSPaint, to Internet Explorer, to Microsoft Word. They all use different code to do the same thing, and they all have different bugs. That's why you should keep your software up-to-date, so that when new bugs are discovered, these corrupted images won't affect you.
- 3,893
- 1
- 15
- 14
From comments to question I understood that one might be interested to get into details of executable images (oops, "image" collides with a copy of a disk, let say, pictures that are excutable/runnable scripts or programs) which look to humans as images (pictures) and to computer as executable scripts (programs):
- Video DefCon 15 - T312 - The Executable Image Exploit
- The text to above video as pdf slides
- PHP script: Check (validate) if the Uploaded File is an Image
Update:
Here is one more reference on how to embed a virus (PHP, JavaScript, ActionScript, etc.) code into an image:
- 920
- 5
- 11
-
"answers that are just links to other sites are not generally acceptable" - this is your own phrase. Besides, your link tells: "links are fantastic". Also, I, for example, generally skip the answers without links. So, it is your personal subjective opinion – Gennady Vanin Геннадий Ванин Nov 02 '11 at 10:50
-
1These are not my opinion, but the opinion of the wider StackExchange community, whose rules we all need to work by if we want to take part. – Rory Alsop Nov 02 '11 at 11:30