In this instance, the overflow arises because the DLL normalizes the declared length of the area designed for comments...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
in a JPEG file prior to checking its value. This area can store up to 65,533 bytes of data, but takes up only two bytes if no comment is added to the image. If the malicious hacker sets the comment length value to 1 or 0, it will result in a heap-based overflow, overwriting the heap management structures. This allows the hacker to point the next process to code they wish to run, which ironically they can store in the comment area of the JPEG file!
In order to exploit the flaw, an attacker only needs the victim to view the doctored JPEG image. This file is typically sent in an HTML e-mail or displayed on a Web site. The JPEG image can also be embedded in a Word, PowerPoint or other Microsoft Office document. Once viewed, the embedded Trojan horse code will run on the infected system with the privileges of the application that opened the JPEG file. This vulnerability was announced in September 2004 and due to its severity, Microsoft released a patch very quickly to correct the problem. It is covered in Microsoft Security Bulletin MS04-028 "Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)".
You can download the file containing the source code for a proof-of-concept at http://www.macconvert.com/archives/docs/JPEGdownloader.doc.sitx. This should help you understand how the attack works.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
Open source NoSQL MongoDB database faced 30,000 insecure instances. Expert Michael Cobb explains the misconfiguration that led to this, and how to ...continue reading
A new Veracode report offers details on common mobile application security risks. Expert Michael Cobb explains these flaws, and what developers can ...continue reading
Juniper firewall products were found to have two backdoor vulnerabilities. Expert Michael Cobb explains how a cryptographic algorithm and hardcoded ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.