What is the corrupted image vulnerability? How does it work?

Question

What exactly happens when someone injects malicious binary code into an image file (on Windows)? How is that done?

Are you talking about injecting binary code (malware?) or you mean something like HTML code injection attacks (then Windows has no sense)? Also, corrupted image is not the case for successful attack - it can remain still valid. — , Nov 21 '10 at 00:50

score 13 · Accepted Answer · answered Nov 21 '10 at 03:05

13

Such an attack relies on the image parser containing a bug that allows the execution of what would otherwise be a slightly wacky picture.

For example, instead of "red" being interpreted as a color, the computer may try to interpret it as a shell command.

answered Nov 21 '10 at 03:05

Zian Choy

1,131
8
8

And what's the defense against it? – Pacerier Jul 13 '12 at 02:29
You may get better results by making a new question about that. – Zian Choy Jul 21 '12 at 01:30
Are you saying a non-buggy image parser would be 100% safe from *chameleon* files? – Pacerier Jul 21 '12 at 04:15

score 8 · Answer 2 · edited Jul 05 '15 at 00:39

8

Much more common than a buffer-overflow type bug that @Zian mentions (though I think there was a WMF vuln of this sort in Windows as recently as 4-5 years ago), is something like GIFAR (also search on SO):
a file that is both a valid image file (e.g. GIF), and a valid ZIP file (e.g. JAR (compiled java bytecode)).
This is possible because of the way these formats store their headers: specifically, they are not mutually exclusive.

So you can have a file that passes all validity checks you do, and yet when it is displayed in the browser the java code is executed (because, well, you just downloaded a valid JAR file, dincha?)

To the best of my knowledge, this has been fixed by the major vendors, but I admit I'm not really up to date.
(The original discoverer of GIFAR can be found here.)

edited Jul 05 '15 at 00:39

Community

1

answered Nov 21 '10 at 12:06

AviD

72,138
22
136
218

1

I remember GIFAR vulnerability to be snakeoil. The JAR in GIF part is only valuable for an attacker in combination with XSS to load the uploaded JAR/GIF file. I believe the goal here was for the attacker to load a java applet with same-domain policy "bypassed". – Dog eat cat world Nov 03 '11 at 07:52
Not snakeoil at all, as you said it allows loading an applet (as an example, mind you) regardless of domain. Moreover, anywhere you can upload a GIF file for others to view, you can upload a GIFAR instead, and thus run an applet on your victims' browsers. You don't even really need XSS, since it's already being loaded. – AviD Nov 03 '11 at 11:44
I remember I did some testing when this was new, and the only way I managed to get the gifar to run, was with html tags. tags never loaded the applet. – Dog eat cat world Nov 03 '11 at 11:50

score 5 · Answer 3 · answered Nov 02 '11 at 21:41

I assume when you say "image" you mean something like a JPEG or a GIF.

The answer is that older software has bugs such that when they display the image, they can get confused. For example, images have comment fields inside them that are usually not displayed, but can contain things like the GPS coordinates of the iPhone camera that took the picture. Typical software expect that these comments will never exceed 100 characters, but a hacker can do something ridiculous like making a 10,000 character comment. Software should safely reject this, but some don't, they have a bug where these unexpected characters overflow into other areas of memory. If the hacker crafts those 10,000 bytes just right, he can cause the buggy software to run code.

Just because we humans expect those comments to be short, English text, doesn't stop the hacker from putting in long, executable code into those fields.

There are a lot of different pieces of code that might have such bugs, from MSPaint, to Internet Explorer, to Microsoft Word. They all use different code to do the same thing, and they all have different bugs. That's why you should keep your software up-to-date, so that when new bugs are discovered, these corrupted images won't affect you.

Gennady Vanin Геннадий Ванин · Answer 4 · 2011-11-02T06:48:57.410

3

From comments to question I understood that one might be interested to get into details of executable images (oops, "image" collides with a copy of a disk, let say, pictures that are excutable/runnable scripts or programs) which look to humans as images (pictures) and to computer as executable scripts (programs):

Update:
Here is one more reference on how to embed a virus (PHP, JavaScript, ActionScript, etc.) code into an image:

Code injection – a simple PHP virus carried in a JPEG image

edited Nov 02 '11 at 06:48

answered Oct 30 '11 at 13:06

Gennady Vanin Геннадий Ванин

920
5
11

"answers that are just links to other sites are not generally acceptable" - this is your own phrase. Besides, your link tells: "links are fantastic". Also, I, for example, generally skip the answers without links. So, it is your personal subjective opinion – Gennady Vanin Геннадий Ванин Nov 02 '11 at 10:50
1

These are not my opinion, but the opinion of the wider StackExchange community, whose rules we all need to work by if we want to take part. – Rory Alsop Nov 02 '11 at 11:30

What is the corrupted image vulnerability? How does it work?

4 Answers4

Linked