52
  1. I wanted to know if its generally possible to inject executable code into files like PDFs or JPEGs etc., or must there be some kind of security hole in the application?

  2. And if so, how would one do that?

I often hear that people get infected by opening PDFs that contain malicious code, that's why I ask.

JohnnyFromBF
  • 1,413
  • 4
  • 16
  • 23

4 Answers4

36

There must be some security hole in the application.

Think like any very-simple-and-common .txt file: if you open it with an hex viewer, or with a well-designed textpad editor, it should only display the file content, and ok.

Then think about of processing the file, somehow, instead of just showing the contents. For example, reading the file and interpreting it's values. If it isn't done correctly, this could lead to execution of the bytes that are inside the file.

For example: if you have designed your app to load the whole file and show it, but somehow you have a variable inside your program that only holds 256 bytes. This could make you read (and write to memory) more bytes than your app expected. And, imagine, inside your app there would be any command to jump to position NNNN in memory and execute what is there, but since that memory position was written with data your program didn't expect, then you'll execute some code that shouldn't be there, and was loaded from your file...

That was a buffer overflow attack.

The same could happen with pdf, jpg, mp3, etc, if the app didn't load the data correctly.

Another possibility: for any other reason, the app (or some DLL it loads to read your data) executes some part of the data, instead of reading it. If you know what would be the command (or the data) that would trigger this behavior, you put those commands inside the data file (like the pdf file) so that the app executes it.

PDF virus: read this site: http://lwn.net/2001/0809/a/adobe-pdf-vul.php3 to know a bit about one virus that spread using PDF files.

Daniel V
  • 443
  • 3
  • 12
woliveirajr
  • 4,462
  • 2
  • 17
  • 26
18

There are two ways for a piece of code to be executed: intentionally and unintentionally.

Intentional execution is when a file is read by an application and the application does something based on whatever the file says. Reading the file is called parsing the file.

Unintentional execution is when the parser reads something it shouldn't, and instead of breaking, it continues executing. This unintentional execution is a vulnerability because if I can get the parser to execute something, I can probably get it to execute something malicious.

To answer your questions:

  1. Is it generally possible? It all depends on the file format and the application that reads it. Some files are designed to allow executable stuff, some aren't. Some applications allow for the code to execute, others don't. If the application doesn't support it, there must be a vulnerability present to execute.

  2. It all depends on the file format, but it's usually by finding a flaw in the file parser logic.

Steve
  • 15,215
  • 3
  • 38
  • 66
  • so the hundreds of youtube tutorials saying you can execute file.exe as file.jpg by doing "copy /b image1.jpg + virus.exe file.jpg" is complete nonsense, right? it seems to be a binary concatenation of the two files, nothing more. are there other tricks you could cloak an .exe as a .jpg? – JohnnyFromBF Oct 13 '11 at 23:45
  • There are two things that make an exe executable, the extension .exe, and the file header. Windows interprets .exe's and loads it into memory based on the file header. Appending blah.jpg won't do anything -- it's still an exe. – Steve Oct 14 '11 at 04:51
  • 1
    @SteveS unless you use [U+202E](http://www.fileformat.info/info/unicode/char/202e/index.htm) - e.g. myfile\U202Egpj.exe - even though the file is still a .exe the user will see it as myfileexe.jpg – Jonathan Dickinson Oct 15 '11 at 12:59
  • @lan that vulnerability used to work, but it was patched out of pretty-much every jpg library out there. – Jonathan Dickinson Oct 15 '11 at 13:01
  • @SteveS, *"...Windows interprets .exe's and loads it into memory based on the file header"* This statement confuses me. Does it mean that renaming an `exe` to a `jpg`, will still cause the file to be interpreted as an `exe` when you double-click it? Does header mean the first bytes of the file? Does it instead mean that some `jpg` readers will load the file, and if its `exe` content, execute? – 700 Software Feb 22 '12 at 00:40
  • 1
    @GeorgeBailey yes and no. It depends on what is acting on the file. If it's explorer acting on it through double clicking the file then its just going to load the handler associated with .jpg. If you call into the low-level start proc api with a file with a jpg extension it will execute it because that API opens the exe and looks for the exe header. – Steve Jul 13 '12 at 17:38
10

The key problem with pdf's, Word documents etc is that the current standards allow macros and executable code. (In my opinion this is a fatal flaw, but then I like emails to be text only...)

It is that macro execution stage that is usually the target for attack, as it provides a way to run code. The attacker just needs to figure out how to get past the controls present, which may be buffer overflow or other attack mechanism.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 2
    It's not only macros (these are usually disabled by default and need user confirmation), sometimes it's just other kinds of active content. Great example is the Excel file with the exploit that was e-mailed to RSA employees - http://www.f-secure.com/weblog/archives/00002226.html that resulted in the huge RSA SecureID breach and LockHeed Martin break-in. – Krzysztof Kotowicz Oct 13 '11 at 22:50
  • Definitely agree with you @Krzystof – Rory Alsop Oct 14 '11 at 11:33
5

I disagree with the answer "There must be some security hole in the application"

It is generally incorrect. Most breaches arise from accessing files (not just providing/having them) and alluding people to believe that they access something different from what they really are, for example, a bigger image while it is executable code or a link with one (known and trusted) site description while it links to another, with malicious intents, etc.

I would recommend to read:

  • 3
    Read these two questions on why you should not just answer with a link: http://meta.stackexchange.com/q/8231/154443 and http://meta.stackexchange.com/q/7656/154443 – Rory Alsop Nov 02 '11 at 10:13
  • [Discussion moved to chat](http://chat.stackexchange.com/rooms/1708/discussion-between-rory-alsop-and-webmaohist) – Rory Alsop Nov 02 '11 at 11:06