2

If anyone has any suggestions for tags, feel free to add them, seeing as i'm not yet familiar with the ones used on this site.

I was wondering what the dangers are of appending a file to an image.

If you are using windows you can type

copy /b aPicture.jpg + someFile.xy newPicture.jpg

I did this and are sharing these 2 files, one with a simple txt message and one with a winrar archive:

image with attached txt file

image with attached winrar archive

The first image has a txt file in it, the second a winrar archive.

When you open the images with notepad++ you can clearly see the attachments.

Now my question: How dangerous is this technique?

Consider you had a graphical process, let's assume it was a gui program or that old cracked copy of counterstrike 1.6 everybody has somewhere around. If I would replace a texture in the game for example with a manipulated image, could I then exec code somehow?

It is possible to open the image directly with winrar, so I was wondering if one could exploit this for any purpose.

Has anybody ever made experience with this?
Since I first heard about it ,and after reading "daemon" by Daniel Suarez I am very suspicous at videogames, especially when they are shared at Lan-Partys and the like.

J.A.K.
  • 4,793
  • 13
  • 30
clockw0rk
  • 119
  • 7
  • 2
    Welcome on Security SE. Such exploits are possible, but require you to use a specific version of the image viewing software containing a certain vulnerability and the attacker be aware of this information and targeting this exact version. That being said, your question seems very similar to [this one](https://security.stackexchange.com/q/55061/32746), is it a duplicate? – WhiteWinterWolf Mar 23 '17 at 17:53
  • The images in your post are both the same size (51K). They probably got compressed on uploading. I thought it would be a bit intrusive to remove them, so I'll leave it to you to replace or remove them. I think replicating the result locally is safer than downloading a file – J.A.K. Mar 23 '17 at 18:01
  • thanks @WhiteWinterWolf, I was not aware that such question already existed. – clockw0rk Mar 23 '17 at 18:03
  • @J.A.K. I think I will keep them for now uploaded, I was not aware that a compression might have been made to them, but yes, better replicate the result locally – clockw0rk Mar 23 '17 at 18:03

1 Answers1

2

What you describe is not "attachements on images" but these are polyglot files, i.e. files which get interpreted differently by different programs. For example if you combine a jpeg (at start) with a ZIP file (at end) the image program will deal with the image while the archive program with the ZIP file since processing of ZIP archives is done from the end but processing of jpeg is done from the start.

I don't know of any exploits against games, image viewer or similar this way but this technique can be used to bypass analysis since many antivirus products expect the file to be of exactly one type. Thus the main danger for the end user is that a file containing malware might not be properly handled by the antivirus and the malware did not get detected. But, you should not rely fully on antivirus anyway.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Ah. right when I adjusted 'attachment' to 'appended file' – J.A.K. Mar 23 '17 at 17:58
  • 1
    @J.A.K.: Yes, I think *appending* might be the more suitable wording for it. With *attachment* at least I associate that the file is somehow included in a common container, like in a mail. – Steffen Ullrich Mar 23 '17 at 18:01
  • 1
    You mention malware but this can also be used on a broader scope to transfer or ex-filtrate any kind of data in a stealthier manner (something like a poor man's steganography). – WhiteWinterWolf Mar 23 '17 at 18:09
  • 1
    @WhiteWinterWolf: yes, it is one of the many many ways to hide data when exfiltrating. But for this case it is probably enough just to add a jpeg header and not a full image to fool the analysis. – Steffen Ullrich Mar 23 '17 at 18:39