Can I send instructions embedded in an image to a target, if I know his CPU architecture?
-
19Possible duplicate of [Can malware be attached to an image?](https://security.stackexchange.com/questions/55061/can-malware-be-attached-to-an-image) – Anders Oct 29 '18 at 08:40
-
46Sure you can. But it's not going to execute them. Actually most bytes are valid CPU instructions. – user253751 Oct 29 '18 at 23:36
-
21sure, just write then on a piece of paper and take a photo... :) – Jasen Oct 30 '18 at 11:19
-
Note that there are image formats that explicitly rely on "arbitrary code execution" (mostly from the old era when compatibility and saving memory and CPU was more important than securing images). The most notable is probably WMF, where the feature was very reasonable and safe in the original implementation, but the safety was lost when porting the code from Windows 3.0 (16-bit) to Windows NT (32-bit, and only on x86). So this was one of the rare cases where e.g. Windows 98 (desktop) was safer than Windows NT (server/professional) :) – Luaan Oct 31 '18 at 09:54
-
Did [vulnerabilities](https://docs.microsoft.com/en-us/security-updates/vulnerabilityresearchadvisories/2012/msvr12-004) lead to asking this question? – jpmc26 Oct 31 '18 at 22:55
-
Of course you can, and for any other form of media too. So you better trust your media viewer to not have bugs or unexpected "features". – mathreadler Nov 04 '18 at 11:00
7 Answers
Other answers give a good technical explanation but let me try with an analogy:
Please send your credit card number to scam@example.com
Did you read it?
Did you do it?
It's more or less the same for your CPU. Reading something is not the same as executing it.
-
19It's not the best analogy though because as humans we can stop and decide if something is a good idea, but a computer cannot. The computer has to "decide" before starting. – Captain Man Oct 29 '18 at 13:47
-
27+1 for trying to explain by analogy. Just because I *read* a set of instructions, doesn't mean I actually *do* them. – A C Oct 29 '18 at 14:44
-
7@CaptainMan it is a very good analogy. It would not surprise me that much if after a number of years "scam@scammer.org" does not receive credit card numbers b/c of this posting. – emory Oct 29 '18 at 16:45
-
64What's the next step? It's been nearly 8 hours since I mailed and I still haven't heard back. – Bilkokuya Oct 29 '18 at 17:20
-
5@emory Do you really think someone who can read english well enough to find this page and read that sentence will not understand the context that it's posted in, to the point where they mistake it as instructions that they must perform? – Monica Apologists Get Out Oct 29 '18 at 17:28
-
5@Adonalsium Yes, I think given enough readers it is inevitable. In fact, we are led to believe it has already happened. – emory Oct 29 '18 at 18:15
-
2@CaptainMan And that's where input validation, bounds checking, separation of data and instruction memory, memory protection strategies, and so on all come into play. You looked at the message and decided it wasn't safe to carry out the instructions. All the above provide the CPU or OS with the ability to make that decision. – Graham Oct 29 '18 at 22:02
-
5You're told to copy the writing from the piece of paper onto another piece of paper. The paper says "Please send your credit card number ...". You are perfectly capable of processing these instructions (specifically, copying them), without executing them. It's no different than if the paper said "erwcwmexrnwem,cwtuvklewer". – user253751 Oct 29 '18 at 23:39
-
5To complete the analogy, suppose the scammer manages to embed the instruction in a letter that appears to be sent from the bank. Now the message is inside an area marked as "instructions", and will be executed. – kevin Oct 30 '18 at 16:18
-
@emory - apparently "scammer.org" is for sale, so you could buy the domain and wait to see what happens if you want. :) – Jules Oct 31 '18 at 09:54
-
1
-
2@Adonalsium For perspective, it is common for those running a Nigerian scam to *continue* to refer to themselves as being a prince from Nigeria, even though the name is synonymous with the scam. It is believed this operates as a filter of sorts: only the most gullible will still reply to a prince of Nigeria. Bulk emails are cheap, but the rest of the process is done by a human being. The fact that they continue to use this moniker rather than evolving *strongly* hints that enough people fall for this scam to be worth their while. – Cort Ammon Oct 31 '18 at 19:18
-
2@CaptainMan We don't avoid sending an email because we stopped and decided whether or not it was a good idea. Just like a computer can choose to make data readable or executable based on the context, we can do the same. We are reading this scam in an informational context, not in the context of an order that we must follow. – forest Nov 01 '18 at 09:57
-
@CortAmmon IIRC it's mostly seniors falling into dementia who trust emails like that... which makes it extra scummy. Regardless, that is a trust issue, not a reading comprehension issue. – Monica Apologists Get Out Nov 01 '18 at 12:51
-
2@forest yep. Not falling for it because we understand the instructions would be your antivirus job. – Antzi Nov 01 '18 at 15:36
-
2"Everybody stand down! I have the picture of a gun and I'm not afraid to use it!" :-P – ChatterOne Nov 01 '18 at 15:42
-
A better analogy would be `Do you want to date me?%§~ÍŠ [pickpocket credit card]`. – Damon Nov 02 '18 at 12:32
-
The analogy is inaccurate because emails are commonly used to send instructions. An image with opcodes isn't viewed by the CPU as a set of instructions at all. – ZOMVID-21 Nov 02 '18 at 14:57
CPU instructions are given in what are called opcodes, and you're right that those live in memory just like your image. They live in conceptually different "areas" of memory, though.
For instance, you could imagine an opcode "read" (0x01) that reads a byte of input from stdin and puts it somewhere, and another operand "add" (0x02) that adds two bytes. Some opcodes can take arguments, so we'll give our example opcodes some: the "read" opcode takes an operand for where to store the byte it reads, and the "add" one takes three operands: two for where to read its inputs, and one for where to write the result to.
0x01 a1 // read a byte to memory location 0xa1
0x01 a2 // read a byte to memory location 0xa2
0x02 a1 a2 a3 // read the bytes at locations 0xa1 and 0xa2, add them,
// and write the result to location 0xa3
This is typical of how a lot of instructions work: most of them just operate on data that's in memory, and some of them put new data into memory from the outside world (from reading stdin, in this example, or from reading a file or network interface).
While it's true that the the instructions and the data they operate on are both in memory, the program will only run the instructions. It's the job of the CPU, the OS, and the program to all make sure that happens. When they fail, you can in fact load data into the execution space, and it's a serious security bug. Buffer overflows are probably the most famous example of such a bug. But other than those kinds of bugs, you can essentially think of the data space and the execution space as being separate chunks of CPU.
In a toy computer, using the example above, the memory might look something like:
(loc) | Initial | After op 1 | After op 2 | After op 3 |
0x00 | *01 a1 | 01 a1 | 01 a1 | 01 a1 |
0x02 | 01 a2 | *01 a2 | 01 a2 | 01 a2 |
0x04 | 02 a1 a2 a3 | 02 a1 a2 a3 | *02 a1 a2 a3 | 02 a1 a2 a3 |
0x08 | 99 | 99 | 99 | *99 |
...
0xa1 | 00 | 03 | 03 | 03 |
0xa2 | 00 | 00 | 04 | 04 |
0xa3 | 00 | 00 | 00 | 07 |
In that example, the asterisk (*
) points to the next opcode that will be executed. The leftmost column specifies the starting memory location for that line. So for instance, the second line shows us two bytes of memory (with values 01
and a2
) at locations 0x02 (explicitly in the left-hand column) and 0x03.
(Please understand that this is all a big simplification. For instance, in a real computer the memory can be interleaved -- you won't just have one chunk of instructions and one chunk of everything else. The above should be good enough for this answer, though. )
Note that as we run the program, the memory in areas 0xa1 - 0xa3 changes, but the memory in 0x00 - 0x08 does not. The data in 0x00 - 0x08 is our program's executable, while the memory in areas 0xa1 - 0xa3 is memory the program uses to do the number crunching.
So to get back to your example: the data in your jpeg will get loaded into the memory by opcodes, and will be manipulated by opcodes, but will not be loaded into their same area in memory. In the example above, the two values 0x03 and 0x04 were never in opcode area, which is what the CPU executes; they were only in the area that the opcodes read and write from. Unless you found a bug (like a buffer overflow) which let you write data into that opcode space, your instructions won't be executed; they'll just be the data that gets manipulated by the program's execution.
- 646
- 5
- 6
-
5Your answer is at best partially correct. Apart from the simplification that all data must reside on the "stack", it is a wrong assumption that manipulating data on the stack cannot be used for arbitrary code execution. – JimmyB Oct 30 '18 at 14:10
-
16@JimmyB He literally says it's a big simplification, and the question isn't talking about exploits, rather just inserting code into an image. The answer does a good job of explaining in simple terms why code inserted into an image won't just execute. – Clonkex Oct 30 '18 at 22:58
-
1@Blackhawk: Almost everything about the stack is wrong. It's sort of vaguely similar to how [stack machine](https://en.wikipedia.org/wiki/Stack_machine) architectures operate, but most modern computers don't use a stack machine architecture, and even stack machines use the stack as a temporary holding ground for instruction inputs and outputs, not as where all data is kept. (The call stack used in modern computer architectures is a different thing, and that stack doesn't work like this answer describes either.) – user2357112 Oct 30 '18 at 23:03
-
1Also, buffer overflows generally overwrite things like return addresses, not executable memory. – user2357112 Oct 30 '18 at 23:05
-
10While the "not unless you exploit a bug" part is correct, this answer goes into lots and lots of unnecessary and *wrong* detail that makes it seem more informative to an inexperienced reader, but actually makes the answer worse than the short but correct answers that didn't get accepted. – user2357112 Oct 30 '18 at 23:06
-
1@user2357112 I was striving to come up with a little "toy VM," but I think you're right that it sacrificed too much, and didn't simplify enough. I got rid of mentions of the stack. Let me know what you think. – yshavit Oct 31 '18 at 05:06
-
(I did omit discussions of registers and such, though -- I don't think they'd add much to what the OP is asking about.) – yshavit Oct 31 '18 at 05:16
-
-
It would probably be much simpler to say "Data is only executed if the IP register is changed to the address of the data in memory" than to go through all of this. – forest Nov 01 '18 at 10:00
-
1@forest I think that would mainly work if someone already had a lot of this knowledge. I was trying to target someone who does understand that the program lives in memory, and that so does the image data, but doesn't understand how they're kept distinct. I personally find it helpful to give a concrete if simplified example, though I definitely understand that other people think it doesn't work. :) – yshavit Nov 01 '18 at 17:36
-
1@Blackhawk That is "proof from authority", the above is "lies told to children". Lies told to children have value. – Yakk Nov 01 '18 at 17:52
-
-
3@yshavit I think you should remove the statement "While it's true that the the instructions and the data they operate on are both in memory, they're in different parts of memory." because it is at best misleading and at worst just plain wrong. – JimmyJames Nov 01 '18 at 20:48
-
@JimmyJames They're in different conceptual places. It's true that the two spaces are interspersed physically, but the point I was trying to get across is that they're treated as different, and in fact when they're accidentally not treated as different, that's a bug. What do you think about tweaking it to "they're in conceptually separate parts of memory"? – yshavit Nov 01 '18 at 20:53
-
1@yshavit Better? It's a hard concept to explain without understanding the way machine code executes. The succinct way I would put it is something like: "data executes as instructions only when a running process interprets them that way." – JimmyJames Nov 01 '18 at 20:57
-
1But modern systems are Von Neumann architecture, not Harvard architecture, so it's nothing but an execute bit that determines if a page is executable, not where it lives in memory (ignoring the fact that x86 CPUs are Harvard internally, what with separate L1d and L1i caches). – forest Nov 02 '18 at 01:09
-
@forest: x86 has coherent i-cache (unlike many other architectures which require explicit flush/sync insns before you can reliably execute newly-stored machine-code bytes), so from a software PoV modern x86 is pure von Neumann. [Observing stale instruction fetching on x86 with self-modifying code](https://stackoverflow.com/q/17395557). And BTW, split L1 caches for a unified address-space is usually described as a Modified Harvard architecture, of the almost-von-Neumann variety. https://en.wikipedia.org/wiki/Modified_Harvard_architecture#Split-cache_(or_almost-von-Neumann)_architecture – Peter Cordes Nov 02 '18 at 02:38
-
@PeterCordes Yep, I know that it's a Modified Harvard Architecture, but that's invisible to the ISA. – forest Nov 02 '18 at 02:40
-
1@forest: yup, invisible in the ISA is exactly what I was saying, too. :) (Well technically, on paper x86 is allowed to run stale instructions until a jmp/branch, but actual hardware implementations choose to be stronger than the paper ISA because that's actually easier than being *exactly* as strong as the spec but never weaker. That's what Andy Glew's answer on the linked Q&A is about. (Andy was one of the architects of Intel's P6 uarch). Also in your earlier comment you left out the "Modified", and I was feeling pedantic. :P Non-modified Harvard implies separate address-spaces. – Peter Cordes Nov 02 '18 at 02:44
Can you send them? Yes, of course. Just assemble them and stick them somewhere in the image file.
Will the target execute them? No, not unless you already have control over the target (and can thus put a program there to read and execute them), or you find some exploit in an image viewer and get the image to load in it.
- 7,110
- 3
- 21
- 35
-
1Shouldn't the CPU execute the instructions by only opening the image? – Faminha102 Oct 29 '18 at 01:55
-
36
-
1Because the CPU would have to process that information, from what I understand. – Faminha102 Oct 29 '18 at 02:07
-
21Processing bytes of data is different than executing those bytes. One doesn't imply the other. – Joseph Sible-Reinstate Monica Oct 29 '18 at 02:25
-
1
-
17Yes, but some bytes get executed and some just get treated as data. – Joseph Sible-Reinstate Monica Oct 29 '18 at 02:38
-
1I see, and just so I can have a understand of that: who is responsible for that? the os that treats jpg files as data, instead of executables? – Faminha102 Oct 29 '18 at 02:43
-
68@Faminha102 If you were walking outside and stumble upon a piece of paper with some instructions on it, would you follow those instructions? Probably not. You might still read and understand those instructions, but you wouldn't act on them because you know that they aren't intended for you. A similar idea applies here. – tlng05 Oct 29 '18 at 05:32
-
2@Faminha102: Just like in tlng05’s analogy it’s all about the context that the currently running code sets. If the program reading a file executes instructions that will interpret its content as a matrix of colour dots and display the resulting image, that’s what will happen (or the program may fail on ill-formed data); if the program executes instructions that will interpret the file data as other instructions and execute those, that’s what will happen (unless, again, the resulting instruction sequence is ill-formed). – David Foerster Oct 29 '18 at 11:20
-
@Faminha102 yes, whether an file is determined to be executable or not depends entirely on the operating system. Files are interpreted by programs and you can have a file that's interpreted in multiple ways. A common example is installers that can be run as programs or opened as ZIP files. – pjc50 Oct 29 '18 at 11:31
-
3Some bytes are given to the computer to execute. Others are not. It's really as simple as that. If you put your bytes in an executable file and convince the computer's user to run it, then the OS will pass those bytes to the CPU for execution and away you go. If it's doing that for JPEG images then something is very wrong. – Lightness Races in Orbit Oct 30 '18 at 11:11
-
12The misconception here may come from the observation that double-clicking an image *displays* ("starts") the image, just as double-clicking an executable starts the executable. – JimmyB Oct 30 '18 at 14:13
-
2When in reality, what happens when you double-click an image, is that your OS runs the executable that is associated with that particular file-type, based on the extension of the file, and simply passes the path to the file as an argument. – Sean Burton Oct 30 '18 at 21:59
-
@Faminha102 If it helps, the image bytes are not simply fed through the CPU. If the CPU is fed a set or bytes instructing it to do something, it will one by one read those instruction bytes and do as its instructed. In the case of loading an image, it might begin by copying each byte of the image from disk to memory. The image bytes won't go through the CPU. The disk will be instructed to load each image byte onto the bus and then the memory will be instructed to load the bytes from the bus. This is a gross simplification, of course, but hopefully it helps understand the general idea. – Clonkex Oct 30 '18 at 23:07
-
1It shouldn't, of course, but there were (are?) [vulnerabilities](https://docs.microsoft.com/en-us/security-updates/vulnerabilityresearchadvisories/2012/msvr12-004) that can cause a JPEG to be executed. Why on Earth you're write an image library in a way that can cause this is beyond me, though. – jpmc26 Oct 31 '18 at 22:55
You could if your target used a version of Internet Explorer from before August 2005 to view a JPG. Or if they were going to open a PNG in Windows Media Player on Windows 98 with no security updates installed. And so on.
There was a lot of old software that used to have bugs where, if you made an image file in which the first part of the image file lied outrageously about the size and location of the pixel data in the file, the software could do something wrong and accidentally jump to code at the wrong address or write data from the file in a place where program code should be. I recall one of these hacks involved a file whose header claimed the image had negative size. You probably can't do this with more recent versions of Internet Explorer, or Edge, because everyone knows about the problem now and Microsoft did their best to fix it.
Today's operating systems have some protective measures in place to make it difficult (but not completely impossible) to achieve anything really bad if you find a new way to hack a program using a method like this. Areas of memory can be set so they cannot be executed. Programs have separate virtual address spaces so they can't accidentally access each other's memory. Some OS components are loaded at unpredictable memory locations so it's not simple for malicious code to find and use them.
- 501
- 3
- 4
-
1Further details: https://security.stackexchange.com/questions/97856/can-simply-decompressing-a-jpeg-image-trigger-an-exploit – user3490 Oct 29 '18 at 15:30
-
6The eminent German blogger [Felix von Leitner](https://blog.fefe.de/) often emphasizes that, paradoxically, *virus scanners* expose huge attack surfaces because they must be able to open all file formats while running with maximum rights. So you don't even have to open the JPEG; it may be sufficient if your anti virus program attempts to scan it in the background. – Peter - Reinstate Monica Oct 30 '18 at 14:35
-
Exactly. JPEGs most certainly have infected computers. A Google search just now for *jpeg malware* returned [this site explaining it](https://www.bullguard.com/blog/2018/01/jpeg-files-and-malware). – Mike Waters Oct 31 '18 at 02:01
-
1Vulnerabilities in some software existed at least as recently as 2012: https://docs.microsoft.com/en-us/security-updates/vulnerabilityresearchadvisories/2012/msvr12-004 – jpmc26 Oct 31 '18 at 22:58
No. Image files such as JPEG files don't execute code, they are simply rendered and displayed.
If you want to hide some information in a file that's called Steganography, but that only hides information, it doesn't execute any instructions.
For a file to run code it has to be an executable, or be run by another program which reads the file, then executes the commands in the file.
In this case the rare instance when an image could result in executing code is if there were a bug in the software which rendered the image based off the file. This has happened in the past, but it's exceedingly rare. For all practical purposes an image can't run instructions.
This of course isn't the case for PDFs, Adobe Flash, etc.
- 5,110
- 1
- 14
- 24
-
Interesting. So with PDFs this would ok, that's what you are saying? – Faminha102 Oct 29 '18 at 02:02
-
1PDFs have more functionality, they can be interactive, load external resources, embed other files, etc. They aren't as dangerous as Word/Execl files though. – Daisetsu Oct 29 '18 at 02:10
-
1
-
Elaborate more on what? A trojan horse style attack relies on an innocent looking file which either contains a malicious payload (word macros, executable files, javascript) OR is read by a vulnerable parser. This second case is pretty rare, and gets a lot of attention because it would effect so many people. There's one example you're probably familiar with, which is Flash. Flash has constant security updates, because it tries to do so much, there's a lot of ways to craft a file which results in (sometimes) arbitrary code execution. – Daisetsu Oct 29 '18 at 02:25
-
6@Faminha102 PDF is different because the modern PDF file format is designed to execute embedded javascript (similar to how HTML files do). But the user must open the PDF file – slebetman Oct 29 '18 at 06:01
-
9_"Image files such as JPEG files don't execute code"_: I find this a bit inprecise. Even most executable files do not execute code, they _are being_ executed. – phresnel Oct 29 '18 at 11:09
-
@phresnel is correct. You could probably make a file that when opened as a JPEG image shows an (ugly) picture and when executed as code does something malicious. – Captain Man Oct 29 '18 at 15:39
-
To expand on @phresnel 's comment, *no* files execute code, programs execute code. Operating systems have programs associated with file extensions. When you double-click on a file, the program associated with that file extension is run, and that program will then open the file. If you open a file with a program that just renders images, then no code in the file will be run, regardless of what's in it. – Acccumulation Oct 29 '18 at 18:43
-
2@Captian Man, to have a file execute directly (without being invoked by another process which would interpret it's instructions) a program has to be a binary executable (ELF binary for Linux, PE for Windows). You can't simply take a binary, and create a valid JPEG file. The headers for a JPEG and PE/ELF don't align. – Daisetsu Oct 29 '18 at 18:51
-
@Daisetsu: But if you have a funny program "JpegExecuter" that loads JPEGs into memory and interprets the colors as instructions, then that file can be executed. Just like I can run Windows binaries in .COM or .EXE format on a Linux box, given a funny program named Wine. Or .NET. Not executable without host. This discussion can get huge, actually; what does it actually mean to "execute a file directly"? Even the (probably) most raw binary format .COM has to be loaded first before it's interpreted by the CPU and digested into microcode. – phresnel Oct 30 '18 at 15:08
-
-
1@phresnel anyone can write a program to interpret a file in a manner not following the format (JPEG) standards. But that's not a realistic case. The question was about normal JPEG files, obstensably rendered by normal graphic programs. – Daisetsu Oct 30 '18 at 15:32
-
1Yes, but that doesn't make "JPEG files don't execute code" more accurate than "EXE files don't execute code". – phresnel Oct 31 '18 at 12:04
You can, IF you also know what software stack will touch the image on the receiving side, AND IF there are unresolved security vulnerabilities in that software stack.
Simply putting the instructions in the JPEG file does nothing.
However, if there is a known way to make a certain exact JPEG reader implementation crash on a malformed JPEG file in a way that it will copy data from the image file where that data does not belong (like, on top of variables that contain program control flow information like function pointers or return addresses), and if OS or hardware level countermeasures (eg DEP) do not stop that from happening, there is a realistic chance. Such vulnerabilities have existed in (and do exist in legacy) real-world implementations.
- 975
- 4
- 9
The short version is no, because computers (SHOULD) know the difference between data and instructions. The worst you SHOULD be able to do with a JPEG is something like a zip-bomb or something that crashes some JPEG decompression routines. A program to load & display a JPEG will not be trying to RUN any of the data in the file, only read it and process it - and if it hits some unexpectedly not-jpeg data it will either stop or crash, or just show a really messed up picture.
HOWEVER, sometimes (I'm looking at you, Microsoft) people try and write helpful software that can be vulnerable by (for example) trying to automatically load & display e-mail attachments, create document formats that can contain scripts/macros, etc. and this is where a malicious file can cause damage.
The classic (and by now hopefully defunct/protected against) example is e-mail attachments called something like .jpg.exe
where the file is really an executable and Windows will treat it as such, but because Windows hides the extension (hiding the last .exe part) people see file.jpg
and click on it, causing the OS to run it.
It's the difference between reading a book and acting out the content of the book - if the book says "go and punch someone" you're not going to do it, because the words (data) in the book is not controlling your brain even though your brain is processing that data.
- 367
- 1
- 6