Binary over JPEG
Can you please explain "binary over JPEG" -- the mechanism for transferring a Trojan horse code by hiding it in a JPEG image, to be activated when the user downloads the image? I'm familiar with x86 assembler, and with the JPEG format, but do not understand how such code "comes alive" when the passive JPEG image is opened.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Many Microsoft products, including the Office Suite programs, Internet Explorer, Windows XP and Windows Server 2003, use a dynamic link library (DLL) file called GDIPlus.dll. It contains libraries for the Graphical Device Interface Plus (GDI+) application programming interface (API). This allows programmers to represent graphical objects and transmit them to output devices, such as monitors and printers. This DLL includes the capability to process JPEG image files. Sadly, the way it handles malformed JPEG images can cause a heap-based buffer overflow. Heap-based buffer vulnerabilities occur if the unchecked copy of data is written to a buffer that is located on the heap. This allows non-executable stack protection mechanisms to be bypassed, leaving the system vulnerable.

In this instance, the overflow arises because the DLL normalizes the declared length of the area designed for comments in a JPEG file prior to checking its value. This area can store up to 65,533 bytes of data, but takes up only two bytes if no comment is added to the image. If the malicious hacker sets the comment length value to 1 or 0, it will result in a heap-based overflow, overwriting the heap management structures. This allows the hacker to point the next process to code they wish to run, which ironically they can store in the comment area of the JPEG file!

In order to exploit the flaw, an attacker only needs the victim to view the doctored JPEG image. This file is typically sent in an HTML e-mail or displayed on a Web site. The JPEG image can also be embedded in a Word, PowerPoint or other Microsoft Office document. Once viewed, the embedded Trojan horse code will run on the infected system with the privileges of the application that opened the JPEG file. This vulnerability was announced in September 2004 and due to its severity, Microsoft released a patch very quickly to correct the problem. It is covered in Microsoft Security Bulletin MS04-028 "Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)".

You can download the file containing the source code for a proof-of-concept at http://www.macconvert.com/archives/docs/JPEGdownloader.doc.sitx. This should help you understand how the attack works.

This was first published in November 2005

Back to top