View Single Post
  #30 (permalink)  
Old February 12th, 2006
verdyp's Avatar
verdyp verdyp is offline
LimeWire is International
Join Date: January 13th, 2002
Location: Nantes, FR; Rennes, FR
Posts: 306
verdyp is flying high

Originally posted by ultracross
No you can't. You are reffering to a Microsoft Windows flaw in the JPEG engine that is used to render JPEG images. The only thing that this flaw can present a problem is that a specially crafted JPEG image could create a buffer over flow and execute remote code. It cannot install a virus. And the code that can be attached to it is limited to 1028 bytes. (1KB)... for this code to present any REAL problems, it would have be larger than 1KB in size. That said, never open attachments unless you specifically requested it or knew it was being sent from a known contact prior to opening it. Most people just randomly open attachments because there name was in the email. (can i say dumbass??)
1KB is much enough to call a Windows API that will download a virus from an URL available on an IRC site, and then run and install it. Don't forget that the needed DLLs toperform these calls are already linked into the JPEG renderer which is itself running in the context of the Internet Explorer process, so it has lots of capability. I'd say that danger starts only at 128 bytes of binary payload, or about 200 bytes if there are byte restrictions. But there has been exploits using even less bytes.

Don't forget that this code may also use data or code embedded within valid image file fragments (even if this part produces some "garbage" on screen if that part of the image was effectively rendered).

In addition, you can put this image on amaliciouswebsite whereit is downloaded along with multiple images containing other parts of the exploit code. This code could also be used to remove security restriction settings, that will be used immediately after by an active viral component downloaded from the same malicious page (this active viral component beingnormally blocked by security restrictions).

One common target you could perform within 1KB would be to set a domain into the "safe" security zone instead of the internet zone.

You can also control the sequencing order for these downloaded component, for example by using delayed HTTP redirects or delayed javascript redirects. With thosetypesofredirect, you have a content bodyto downloadthe first component, and later you'll goto the next page that performs the following action.

In all modern attacks, the first steps to viral infection is first to disable the security restrictions that will allow a virus or rootkit to be "trusted" by the host and then install itself without notice.
LimeWire is international. Help translate LimeWire to your own language.

Last edited by verdyp; February 12th, 2006 at 04:16 AM.
Reply With Quote