57

I have a small number of employees who use a company computer but these people aren't very tech-savvy. They use an email client and a messaging client.

I'm pretty sure they wouldn't click on a .exe or .zip file in an email without thinking, and I know that's one area of concern.

However, I'm thinking about images. In fact, regardless of how capable a person is with technology, I believe that attaching things (code or anything else) to an image can be a security risk.

What can be attached to images to harm another?

I believe that images can pose a security risk as they 'automatically execute' or something.

There are so many ways that images can be received by a computer (or a phone or tablet, of course):

  • email
  • iMessage (or any other messaging app)
  • someone right-clicking and saving an image from a web page
  • just viewing a web page of course downloads the image to cache

What precautions do I need to take regarding the above four things? Can someone just attach some code to an image and it execute?

What do I need to do to prevent images being used against my computers?

I'm guessing you couldn't just attach code to an image and iMessage someone's iPhone. What about Android?

shreyasm-dev
  • 115
  • 9
user2143356
  • 733
  • 1
  • 5
  • 7
  • This question seems to mostly target end-users. However it may be worth to note that servers are actually even more targeted by this kind of attack, usually through some kind of image file upload mechanism, as unlike end-users with servers the attacker who uploaded the malicious file is also free to trigger its execution the way he wants (no need to wait and hope for a user to do a certain action). You can see some examples [here](https://security.stackexchange.com/q/32580/32746) and [there](https://security.stackexchange.com/q/90968/32746) as well as on other related posts. – WhiteWinterWolf Mar 23 '17 at 18:04

9 Answers9

81

The other answers mostly talk about attaching arbitrary code to images via steganographic techniques, but that's not very interesting since it requires that the user be complicit in extracting and executing that. The user could just execute malicious code directly if that's their goal.

Really you're interested in whether there's a possibility of unexpected, arbitrary code execution when viewing an image. And yes, there is such a possibility of an attacker constructing a malicious image (or something that claims to be an image) that targets specific image viewing implementations with known flaws. For example, if an image viewer allocates a buffer and computes the necessary buffer size from a naive width * height * bytes_per_pixel calculation, a malicious image could report dimensions sufficiently large to cause the above calculation to overflow, then causing the viewer to allocate a smaller buffer than expected, then allowing for a buffer overflow attack when data is read into it.

Specific examples:

In general, these sorts of things are difficult to protect against. Some things you can do:

  • Keep your systems and applications updated.
  • Enable DEP.
  • Enable ASLR if possible.
  • Avoid running programs with administrative privileges.
  • On Windows, Microsoft's EMET could also provide some protection.
jamesdlin
  • 2,015
  • 1
  • 12
  • 13
  • 9
    This, to me, is the only correct answer. All the other answers involve the user deliberately, maliciously, extracting malware hidden in an image file - and the OP said the users weren't tech savvy, so this is very unlikely. – James_pic Apr 08 '14 at 08:24
  • 3
    The OP asked about prevention, so probably also worth mentioning that the issue can be largely prevented by ensuring that security updates are applied to systems promptly, and installing anti-virus software on any Windows based systems. – James_pic Apr 08 '14 at 08:27
  • There is nothing "steganographic" in exploiting listed vulnerabilities. Its rather a RARJPEG technique. – Free Consulting Jun 08 '17 at 00:28
  • @FreeConsulting Hm? My answer has nothing to do with steganography, nor did I claim it did. – jamesdlin Jun 08 '17 at 00:51
  • "...to images via steganographic techniques..." – Free Consulting Jun 08 '17 at 01:04
  • @FreeConsulting That quote was referring to [some](https://security.stackexchange.com/a/55062/43625) of the [other](https://security.stackexchange.com/a/55064/43625) posted [answers](https://security.stackexchange.com/a/55125/43625). *My* answer has nothing to do with steganography. – jamesdlin Jun 08 '17 at 03:19
  • Yes, I know. Still there is no point to debate with wrong (in the OP's scenario there is no party to receive a stenographic message) answer. – Free Consulting Jun 08 '17 at 22:12
12

Yes, there are ways to 'exploit' buffer overflows.

Sometimes the code may need to be executed via a separate script, and in theory you could assemble a virus from multiple images that contained code hidden within the picture using stenography but there are easier ways.

Basically many computer systems expected images to comply with the exact specification for the type and the failed to correctly range check the formats/parameters being passed.

By 'engineering' an image so that externally it looks like it complies but internally it does not, it was to be possible to trigger stack corruption/buffer overflows that would allow code hidden in an image to be executed under the authority of the user.

But note that this does not ONLY apply to images, it can apply to ANY file, take a look at the recent RTF exploit in MS word.

bob
  • 121
  • 2
7

You can always hide files/programs/anything in the 'slack space' of any file. Then you could run a script later to extract and/or compile what you have hidden... For instance, you could embed a malicious executable (or smaller script) within multiple images on a website. When a user goes to the website, they download the images.

Learn more about Slack Space here: http://www.computerhope.com/jargon/s/slack-space.htm and then play around with it yourself by grabbing a hex editor (http://mh-nexus.de/en/hxd/) and messing around.

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
  • 2
    Thanks, some good info. What about running the malicious code though? Your answer explains how someone could hide the code. Surely they can't just embed a .exe in an image and every web visitor has that file execute. I see it is very easy for someone to embed the code, but can't believe anything will just run willy nilly. Does the hacker need to do something specifically to trigger the code to run? – user2143356 Apr 07 '14 at 22:04
  • There are two basic ways that an attack can occur from the slack space. The easiest is to simply store the really bad code (what is most likely to get detected from a virus scanner) in the slack space and then 'activate' the code by a more traditional method. For instance, you could go to a torrent site and not directly dl a virus itself but only the seemingly harmless (to your Virus Scanner) torrent file all-the-while your browser is dl the actual virus in all those banner ads' slack space. The other way is to embed the call method inside the 'real' image part. – Matthew Peters Apr 07 '14 at 22:27
  • Here is a nice article about all the different types of slack space viruses and such http://computervirus.uw.hu/ch04lev1sec2.html section 4.2.13.6 is probably most helpful in describing my second method. – Matthew Peters Apr 07 '14 at 22:27
  • Embedding the call in the image part will not work. the only way to execute a virus like this would be to directly invoke the code in the harmful image by another executable or script. – Kotzu Apr 07 '14 at 22:40
  • So can I be safe that even though images can have all sorts of malware embedded in them (slack space, EXIF etc.) that just be viewing and downloading images isn't going to infect my computer and that the code in these images needs to be executed by a separate script? – user2143356 Apr 07 '14 at 23:09
  • @Kotzu, is right in that malicious code can't run just because the image loads (so far as I know). However, the code is still there and can be called by any number of other vectors. There was a time when browsers even allowed direct links to local files directly from a webpage... For instance, 'bad code' in the nonSlack space could still be dangerous if it exploits an issue by the legitimate program loading the image (similar to a SQL injection, you could toss some bad metadata and have firefox interpret it). To answer your question, I'd say the average user is safe for 90% of the time. – Matthew Peters Apr 07 '14 at 23:25
  • 1
    @MatthewPeters Whether malicious code can be run when the image loads is a quality-of-implementation issue. Image decoders can have bugs that lead to buffer overflows (which then could lead to code execution). – jamesdlin Apr 08 '14 at 02:02
  • Windows have their virus-friendly executable videos (WMA), do they have also the image equivalent? – Léon Pelletier Apr 08 '14 at 12:45
  • But network transmitted data has no slack until written to storage... – Free Consulting Jun 08 '17 at 00:30
3

For pretty much any file format, the programs who read it might have some bugs exploitable by a maliciously crafted file.

It can happen (and has happened) also for images; but it'd generally be limited to a single particular program (or library) reading it, not a general "image with malware" that attacks all such programs.

Even text files aren't theoretically safe if the programs try to do something interesting with them. A sql injection in a blog comment post is essentially "malware attached to text"; there was a vulnerability in Python allowing crash (=denial of service) by submitting malicious text data and claiming that it's in UTF-7 encoding, exploiting a bug in that decoder; and there exist attacks based on breaking XML parsers by, again, malicious near-text data.

Peteris
  • 8,369
  • 1
  • 26
  • 35
1

Yes, it is possible to hide malware in an image. It is not very common attack at all but recently it seems that malware authors start hiding malware inside images.

Malware analysis is not my thing. if you want more information search for "Steganography Malware".

One advice is do not open emails from untrusted/unknown source.

Ubaidah
  • 1,054
  • 6
  • 11
1

Exploits are just that, exploits. Someone finds a vulnerability in some widely used code, and then sets out to set the stage for that vulnerability to do its thing. Let's pretend for example someone out there figured out that some widely-used email client has a bug that leads to a buffer overflow in some specific circumstance. If enough malformed data is fed into the buffer, it overruns onto the stack. Now you can take an image, malformed exactly like it needs to be to cause the buffer overflow, embed into it some malware, and pad the end of the data with a bunch of NOPs and then a clever small assembly routine that get dumped on the stack, which when run points directly to the malware that is already loaded in memory in the image buffer. All a user has to do to get infected is have the malformed image be displayed in the vulnerable application. This is a more common channel of attack in highly specific zero-day exploits.

Remedies to these problems are fortunately easy to apply. Configure the machines to only allow plain-text messages. Make sure you use only well maintained software and apply all updates automatically.

user3437670
  • 11
  • 1
1

There are programs called binders which will normally attach an executable to an image. Malware found in images tend to be RATs(Remote Administration Tools) which is some skid stuff that some skid will use to gain access to your computer. Normally this is only used though on websites where horny idiots talk to these skids, and the skids pretend they're a girl and tell them to download an image. Personally I think there are much better ways of spreading things, also most anti-viruses should detect these "bindings" even if the virus is FUD(fully undetected).

Man Person
  • 11
  • 1
1

The of plain text messages is that when the mail client is only reading plain text, none of the potentially dangerous or hidden scripts will be interpreted or run at all. It will just be a string to the mail client.

Drunken Code Monkey
  • 221
  • 1
  • 4
0

There is a example of a vulnerability described here - full code execution on Windows systems, if javascript was enabled => SVG SNAFU.

Info:

Joshua Yabut, another researcher who also analyzed the code, told Ars it exploits a so-called use-after-free bug that requires JavaScript to be enabled on the vulnerable computer. Yabut went on to say the code is "100% effective for remote code execution on Windows systems." The exploit code, the researcher added, adjusts the memory location of the payload based on the version of Firefox being exploited. The versions span from 41 to 50, with version 45 ESR being the version used by the latest version of the Tor browser. The adjustments are an indication that the people who developed the attack tested it extensively to ensure it worked on multiple releases of Firefox. The exploit makes direct calls to kernel32.dll, a core part of the Windows operating system. Source

user2497
  • 580
  • 2
  • 7