for those that think jpgs are "safe"

Discussion in 'Computer Security' started by Colonel Flagg, Nov 11, 2003.

  1. Colonel Flagg, Nov 11, 2003
    #1
    1. Advertising

  2. Colonel Flagg

    Jim Watt Guest

    Jim Watt, Nov 11, 2003
    #2
    1. Advertising

  3. I clicked the link and IE comes up with a page with which says Last Measure
    of Last Measure. What did you think I would see???

    "Colonel Flagg" <> wrote in
    message news:...
    > open this in IE:
    >
    > http://www.nero-online.org/norway.jpg
    >
    >
    > --
    > Colonel Flagg
    > http://www.internetwarzone.org/
    >
    > Privacy at a click:
    > http://www.cotse.net
    >
    > Q: How many Bill Gates does it take to change a lightbulb?
    > A: None, he just defines Darkness? as the new industry standard..."
    >
    > "...I see stupid people."
    John E. Carty, Nov 12, 2003
    #3
  4. So what did it do? I opened it in IE and just got a page with Last Measure
    of Last Measure!

    "Jim Watt" <_way> wrote in message
    news:...
    > On Tue, 11 Nov 2003 18:36:37 -0500, Colonel Flagg
    > <> wrote:
    >
    > >open this in IE:
    > >
    > >http://www.nero-online.org/norway.jpg

    >
    > Hmmm I'm glad its harmless.
    >
    > well spotted.
    > --
    > Jim Watt http://www.gibnet.com
    John E. Carty, Nov 12, 2003
    #4
  5. In article <1Pesb.37537$>,
    says...
    > I clicked the link and IE comes up with a page with which says Last Measure
    > of Last Measure. What did you think I would see???
    >
    > "Colonel Flagg" <> wrote in
    > message news:...
    > > open this in IE:
    > >
    > > http://www.nero-online.org/norway.jpg
    > >
    > >
    > > --
    > > Colonel Flagg
    > > http://www.internetwarzone.org/
    > >
    > > Privacy at a click:
    > > http://www.cotse.net
    > >
    > > Q: How many Bill Gates does it take to change a lightbulb?
    > > A: None, he just defines Darkness? as the new industry standard..."
    > >
    > > "...I see stupid people."

    >
    >
    >



    it's an iframe exploit with a trojan in it.... I do hope you're not
    infected and that you're using a good anti-virus.


    :)


    from F-Secure Event Log:

    Malicious code found in file C:\Documents and Settings\xxxxxx\Local
    Settings\Temporary Internet Files\Content.IE5\72CZNTWT\norway[1].jpe.

    Infection: Trojan.VBS.IFrame
    Action: The file was deleted.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 12, 2003
    #5
  6. Colonel Flagg

    dkg_ctc Guest

    "John E. Carty" <> wrote in
    news:05fsb.37542$:

    [top-post corrected]
    > "Jim Watt" <_way> wrote in message
    > news:...
    >> On Tue, 11 Nov 2003 18:36:37 -0500, Colonel Flagg
    >> <> wrote:
    >>
    >> >open this in IE:
    >> >
    >> >http://www.nero-online.org/norway.jpg

    >>
    >> Hmmm I'm glad its harmless.
    >>
    >> well spotted.

    >
    > So what did it do? I opened it in IE and just got a page with Last
    > Measure of Last Measure!


    Looks like it's just meant to be an annoyance which recursively opens
    a page inside some IFRAMEs. The IFRAMEs then loads up pictures from
    goatse.cx. (Don't bother going to goatse.cx...just take my word for
    it that it's unpleasant.) I wouldn't call this a trojan, or even
    anything that could be harmful...just something someone could use to
    be annoying.
    dkg_ctc, Nov 12, 2003
    #6
  7. In article <Xns9430CD392B3F2dkgctc@130.133.1.4>,
    says...
    > "John E. Carty" <> wrote in
    > news:05fsb.37542$:
    >
    > [top-post corrected]
    > > "Jim Watt" <_way> wrote in message
    > > news:...
    > >> On Tue, 11 Nov 2003 18:36:37 -0500, Colonel Flagg
    > >> <> wrote:
    > >>
    > >> >open this in IE:
    > >> >
    > >> >http://www.nero-online.org/norway.jpg
    > >>
    > >> Hmmm I'm glad its harmless.
    > >>
    > >> well spotted.

    > >
    > > So what did it do? I opened it in IE and just got a page with Last
    > > Measure of Last Measure!

    >
    > Looks like it's just meant to be an annoyance which recursively opens
    > a page inside some IFRAMEs. The IFRAMEs then loads up pictures from
    > goatse.cx. (Don't bother going to goatse.cx...just take my word for
    > it that it's unpleasant.) I wouldn't call this a trojan, or even
    > anything that could be harmful...just something someone could use to
    > be annoying.
    >




    sorry. wrong again. that was an *example* of what *could* happen if you
    actually load it with something more malicious. use a proper anti-virus
    and it will find it.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 12, 2003
    #7
  8. Colonel Flagg

    donutbandit Guest

    donutbandit, Nov 12, 2003
    #8
  9. Colonel Flagg

    Mimic Guest

    "Colonel Flagg" <> wrote in
    message news:...
    > In article <1Pesb.37537$>,
    > says...
    > > I clicked the link and IE comes up with a page with which says Last

    Measure
    > > of Last Measure. What did you think I would see???
    > >
    > > "Colonel Flagg" <> wrote in
    > > message news:...
    > > > open this in IE:
    > > >
    > > > http://www.nero-online.org/norway.jpg
    > > >
    > > >
    > > > --
    > > > Colonel Flagg
    > > > http://www.internetwarzone.org/
    > > >
    > > > Privacy at a click:
    > > > http://www.cotse.net
    > > >
    > > > Q: How many Bill Gates does it take to change a lightbulb?
    > > > A: None, he just defines Darkness? as the new industry standard..."
    > > >
    > > > "...I see stupid people."

    > >
    > >
    > >

    >
    >
    > it's an iframe exploit with a trojan in it.... I do hope you're not
    > infected and that you're using a good anti-virus.
    >



    No and No ;D

    Also, it did nuffin but b0rked my MSIE heh, isnt it just a modified version
    ofm y :
    http://alt26.go.ro/execute.jpg ?
    That has been featured in the in millions of threads we;ve had on whether
    jpgs are dangerous ? :p


    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
    Mimic, Nov 12, 2003
    #9
  10. In article <bos8ee$95g$>, says...
    > Colonel Flagg <> wrote in
    > news::
    >
    > > open this in IE:
    > >
    > > http://www.nero-online.org/norway.jpg

    >
    > And does this work if Install On Demand is not enabled?
    >



    it works if you're not a guru and you haven't made a change to the
    security of your IE... just like 90% or more end-users out there.

    the people writing this stuff isn't targetting guru's, they're
    targetting the millions of people out there that are wide open to
    exploitation. quit thinking just about yourself and yours, start
    considering the other folks out there that have no clue.



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 12, 2003
    #10
  11. In article <1Pesb.37537$>,
    John E. Carty <> wrote:
    >I clicked the link and IE comes up with a page with which says Last Measure
    >of Last Measure. What did you think I would see???


    Good question. Extension notwithstanding, the file content does not
    comply with the JFIF standard and therefore does not contain a JPEG.

    This doesn't mean that one can take advantage of broken software to
    cause problems, but the hole is not a result of the JFIF format
    itself. To the best of my knowledge, JPEGs are "safe."

    >"Colonel Flagg" <> wrote in
    >message news:...
    >> open this in IE:
    >>
    >> http://www.nero-online.org/norway.jpg


    Craig
    Craig A. Finseth, Nov 12, 2003
    #11
  12. Colonel Flagg

    [ Doc Jeff ] Guest

    On Tue, 11 Nov 2003 18:36:37 -0500, Colonel Flagg
    <> wrote:

    >open this in IE:
    >
    >http://www.nero-online.org/norway.jpg


    Looks just lovely in Lynx. Thanks for sharing it :)

    --
    http://www.cotse.net - Use it, you know you want to.
    If you're too scared to go look for yourself, ask me
    about COTSE. I'd be happy to tell you about it.
    [ Doc Jeff ], Nov 12, 2003
    #12
  13. Colonel Flagg

    dkg_ctc Guest

    Colonel Flagg <> wrote
    in news::

    > In article <Xns9430CD392B3F2dkgctc@130.133.1.4>,
    > says...
    >> "John E. Carty" <> wrote in
    >> news:05fsb.37542$:
    >>
    >> [top-post corrected]
    >> > "Jim Watt" <_way> wrote in message
    >> > news:...
    >> >> On Tue, 11 Nov 2003 18:36:37 -0500, Colonel Flagg
    >> >> <> wrote:
    >> >>
    >> >> >open this in IE:
    >> >> >
    >> >> >http://www.nero-online.org/norway.jpg
    >> >>
    >> >> Hmmm I'm glad its harmless.
    >> >>
    >> >> well spotted.
    >> >
    >> > So what did it do? I opened it in IE and just got a page with
    >> > Last Measure of Last Measure!

    >>
    >> Looks like it's just meant to be an annoyance which recursively
    >> opens a page inside some IFRAMEs. The IFRAMEs then loads up
    >> pictures from goatse.cx. (Don't bother going to goatse.cx...just
    >> take my word for it that it's unpleasant.) I wouldn't call this
    >> a trojan, or even anything that could be harmful...just something
    >> someone could use to be annoying.
    >>

    >
    >
    >
    > sorry. wrong again.


    No, it's not wrong. It's absolutely correct. There's no security
    issue here...Internet Explorer simply looks at the JPEG, sees that
    it's an HTML, and treats it as such. It doesn't parse the page
    outside of the internet security zone.

    > that was an *example* of what *could* happen if you actually load
    > it with something more malicious. use a proper anti-virus and it
    > will find it.


    I'll tell you what. If you can re-write the code on that page to do
    something more malicious than pop up windows on a patched Internet
    Explorer, THEN I'll take the security threat seriously. Until then,
    I'll have to take the word of NAI (
    http://vil.nai.com/vil/content/Print100074.htm ) which basically
    confirms my statement that it's a DoS.
    dkg_ctc, Nov 12, 2003
    #13
  14. Colonel Flagg

    dkg_ctc Guest

    dkg_ctc, Nov 12, 2003
    #14
  15. Colonel Flagg

    dkg_ctc Guest

    Colonel Flagg <> wrote in
    news::

    > open this in IE:
    >
    > http://www.nero-online.org/norway.jpg


    It should also be noted that if norway.jpg were, for example, a PHP
    script which sent the content type as text/html, then the behavior
    would be the same in any browser that obeys the content-type header,
    as opposed to file contents (which is pretty much any browser other
    than Internet Explorer).

    So to recap...

    A.) The example on the page (Trojan.VBS.Iframe) is a denial of
    service. It doesn't exploit vulnerabilities in Internet Explorer.

    B.) Sending someone a link to a file named as JPEG but which is
    really HTML will render the page as HTML in Internet Explorer, but
    this in itself is not a security vulnerability. Rather, it's simply
    misdirection.

    C.) By sending a Content-Type: text/html, most browsers will render
    what appears to be a JPG by URL as HTML, the same way that Internet
    Explorer does. Going by the content-type header, as opposed to file
    extension or file contents, is the correct way to determine how to
    handle a file.
    dkg_ctc, Nov 12, 2003
    #15
  16. "Colonel Flagg" <> wrote in
    message news:...
    > In article <bos8ee$95g$>, says...
    > > Colonel Flagg <> wrote in
    > > news::
    > >
    > > > open this in IE:
    > > >
    > > > http://www.nero-online.org/norway.jpg

    > >
    > > And does this work if Install On Demand is not enabled?
    > >

    >
    >
    > it works if you're not a guru and you haven't made a change to the
    > security of your IE... just like 90% or more end-users out there.
    >
    > the people writing this stuff isn't targetting guru's, they're
    > targetting the millions of people out there that are wide open to
    > exploitation. quit thinking just about yourself and yours, start
    > considering the other folks out there that have no clue.


    In Windows 2000 and XP Install on Demand is disabled by default :)

    >
    >
    >
    > --
    > Colonel Flagg
    > http://www.internetwarzone.org/
    >
    > Privacy at a click:
    > http://www.cotse.net
    >
    > Q: How many Bill Gates does it take to change a lightbulb?
    > A: None, he just defines Darkness? as the new industry standard..."
    >
    > "...I see stupid people."
    John E. Carty, Nov 12, 2003
    #16
  17. In article <Xns9430E668E76Ddkgctc@130.133.1.4>,
    says...
    > Colonel Flagg <> wrote in
    > news::
    >
    > > open this in IE:
    > >
    > > http://www.nero-online.org/norway.jpg

    >
    > It should also be noted that if norway.jpg were, for example, a PHP
    > script which sent the content type as text/html, then the behavior
    > would be the same in any browser that obeys the content-type header,
    > as opposed to file contents (which is pretty much any browser other
    > than Internet Explorer).
    >
    > So to recap...
    >
    > A.) The example on the page (Trojan.VBS.Iframe) is a denial of
    > service. It doesn't exploit vulnerabilities in Internet Explorer.
    >



    It doesn't? The how come it won't do the same thing in other browsers,
    such as Mozilla? Because Mozilla sees it as malicious code (malformed,
    malicious, corrupt, whatever) and won't allow it to run.



    > B.) Sending someone a link to a file named as JPEG but which is
    > really HTML will render the page as HTML in Internet Explorer, but
    > this in itself is not a security vulnerability. Rather, it's simply
    > misdirection.
    >


    So then, if an iframe exploit in html has been patched (and it has) and
    I send this to you and you open it in your fully patched IE browser and
    it runs (as it did), you're saying it won't run? Um, it just did :)
    Unless of course, you're browsing the web unpatched.... which I doubt,
    but considering some of the brainiacs we have in this froup, it wouldn't
    surprise me.






    > C.) By sending a Content-Type: text/html, most browsers will render
    > what appears to be a JPG by URL as HTML, the same way that Internet
    > Explorer does. Going by the content-type header, as opposed to file
    > extension or file contents, is the correct way to determine how to
    > handle a file.
    >



    So then, a file with a .jpg extension can be mishandled by IE, causing
    *something* to happen that shouldn't.... therefore, .jpg's should not be
    considered safe.

    Thanks for confirming what I said to begin with.

    As I said previously, in another thread, a TRUE jpeg is safe. .jpg's
    overall SHOULD NOT be considered safe in IE because IE (and Microsoft
    for that matter) is a borked product. In fact, I would go so far as to
    say, The combo of IE & OE should be considered the single greatest cause
    of infection on the Internet, followed by a close second with IIS.


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 12, 2003
    #17
  18. In article <3fb1af2c$0$41291$>,
    says...
    > In article <1Pesb.37537$>,
    > John E. Carty <> wrote:
    > >I clicked the link and IE comes up with a page with which says Last Measure
    > >of Last Measure. What did you think I would see???

    >
    > Good question. Extension notwithstanding, the file content does not
    > comply with the JFIF standard and therefore does not contain a JPEG.
    >
    > This doesn't mean that one can take advantage of broken software to
    > cause problems, but the hole is not a result of the JFIF format
    > itself. To the best of my knowledge, JPEGs are "safe."
    >



    sure jpeg's are safe... how the .jpg extension is handled in IE isn't.

    of course a gun is safe, until you load it, put it to your head, click
    off the safety, pull the trigger and blow your fucking brains out.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 12, 2003
    #18
  19. Colonel Flagg

    Jim Watt Guest

    On 12 Nov 2003 04:25:27 GMT, "dkg_ctc" <>
    wrote:

    <snip>

    The point is that IE looks at the content and not the suffix.

    Its a good demonstration of that point.


    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Nov 12, 2003
    #19
  20. Colonel Flagg

    John Niven Guest

    Jim Watt wrote:
    > The point is that IE looks at the content and not the suffix.
    >
    > Its a good demonstration of that point.


    ....and just to add my €0.02, Mozilla Firebird refuses to display the "JPEG".

    > Its a good demonstration of that point.

    Agreed.

    Best wishes
    John

    --
    John Niven
    [Reply via newsgroup]
    John Niven, Nov 12, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Soapy
    Replies:
    1
    Views:
    651
    The Magnificent Bastard
    Aug 16, 2004
  2. Soapy
    Replies:
    1
    Views:
    716
    Steve Leyland
    Aug 16, 2004
  3. David J Taylor

    For those who think Apple OS security is a non-issue....

    David J Taylor, Jan 4, 2007, in forum: Digital Photography
    Replies:
    175
    Views:
    2,274
  4. The Rev [MCT]
    Replies:
    2
    Views:
    368
    Consultant
    Nov 14, 2007
  5. Giuen
    Replies:
    0
    Views:
    748
    Giuen
    Sep 12, 2008
Loading...

Share This Page