Author Topic: IE flaw in image handling...  (Read 3774 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
IE flaw in image handling...
« on: October 22, 2005, 01:48:13 pm »
There is a flaw in IE that it will interpret an image file (like, .jpeg) as a html file if it contains html code.  For example, see this image:
http://planet.nana.co.il/mycoolpictures123/fake/lt2.jpg
If you load that page in FireFox, you will see nothing.  If you load the same image in Internet Explorer, it should have a popup telling you your cookie information. 

Why is this dangerous?  Because in forum software (YaBB, PHPBB, etc), you can upload custom avatars/thumbnails, which can contain code (exploit or XSS) that is run on Internet Explorer users' computers.  OSPAP, of course, is not affected; I re-encode all images :)

Here is the full advisory:

Quote
phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.

I sent the report to phpBB and they said that a patch will be available withing a few days and It will be integrated into 2.0.18 .

Note: This works like XSS, and requires the victim to use IE (Affects all versions of IE).

Special Credits to: Sven Vetsch (the original finder of "The gif bug").
The original gif-bug article : http://www.securiteam.com/windowsntfocus/6F00B00EBY.html
Also thanks to the experts at securiteam.com for clarifying some issues.

Since what is described in the original article doesn't work, I have written this step-by-step
article explaining how to replicate this bug successfuly.

Affected: All phpBB systems allowing "Upload Avatar from URL" and most likely all other systems
with such a feature (Other bulletin boards - but I didn't check).

Well, the base for the problem lies within IE.. The core element of my Proof of Concept is the
lately found Gif-bug in IE (Originally found by Sven Vetsch).

For some reason IE renders malformed embedded content files (like gif,jpg,wav,and so on..)
as HTML when they are accessed directly e.g. http://attacker.com/xss.gif (Not through the <img>
tag).

If we create an HTML file and rename its extention to .GIF (or other embedded content file
extention), and upload it to an HTTP server (it dosn't work locally for some reason), when we
will navigate to http://myserver.com/xss.gif the HTML code will be executed instead of showing
that the image is invalid.

So, if we could upload such a file to a server that allows image upload we could actually upload
HTML code instead (Inside the image file). If the victim will be lured to navigate to this
specially crafted image in IE, arbitary HTML code could be executed in the servers security zone,
e.g. we could steall the users cookie, for example.

However it is not that simple with systems (like phpBB) that verify the image file before it
is uploaded to the server. If we try to upload our previosly made http://attacker.com/xss.gif
gif file the system will complain about incorrect image size - that's because our image is invalid.
The verification system chechs the files header. In a valid 1x1 gif file the header should be
(in hex) : 47 49 46 38 39 61 01 00 01 00 . After the header we will insert the next HTML code:
<HTML><HEAD><SCRIPT>alert(document.cookie);</SCRIPT></HEAD></HTML>
So the file will look like this (in hex):
47 49 46 38 39 61 01 00 01 00 3C 48 54 4D 4C 3E 3C 48 45 41 44 3E 3C 53 43 52 49 50 54 3E 61 6C 65 72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F 6B 69 65 29 3B 3C 2F 53 43 52 49 50 54 3E 3C 2F 48 45 41 44 3E 3C 2F 48 54 4D 4C 3E

If we upload this file instead the old one to : http://myserver.com/xss.gif we will be able to
upload it as a phpBB avatar. However when we access the file directly (as before) no HTML code
is going to be executed. That is because IE sees the valid header and tries to draw the image
instead of rendering the HTML (and fails anyway ...).

However if we change the file extention from .GIF to .JPG the GIF header in the beginning will
become meaningless to IE and the HTML code will be executed. So if we rename our image from
xss.gif to xss.jpg when we will navigate to http://myserver.com/xss.jpg we will see an alert
box (that should show the cookie on its current server).

The phpBB avatar upload system verifies the files header - and our header is pretty much valid -
for a GIF file, but not JPG. If we try to upload the file http://myserver.com/xss.jpg as our avatar
it will be successfuly uploaded. Hence any one who will navigate (in IE) directly to our avatar in its new address on the phpBB forum server (the URL should look like http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) will be able to see his cookie information in an alert window.
Instead an image something like GIF89a_--. will apear, but it can be easily obfuscated with a simple
JavaScript.

As a Proof of Concept here is a ready made JPG file: (Save target as) http://planet.nana.co.il/mycoolpictures123/fake/lt2.jpg . Upload this (from its current location, or your HTTP server) as
an avatar to phpBB (or as I believe - any Bulletin Board system). In your avatar an invalid image
(red X) will appear, but when you navigate to it's current location (e.g. http://phpbbforum.com/phpbb/images/avatars/2131121a2121f.jpg) you will see an alert with your cookie.

Using the basic idea of my PoC, the code can be manipulated to send a users cookie information to
a CGI sniffer on a remote server. All that should be done is sending a message saying "Check out
this image" and specifying the avatars URL.

This is a major problem since 90% of the internet users use IE and lots of dynamic sites (like
bulletin boards) allow image upload to the server.

The solution could come in many ways. The best solution for the user is to use another browser
(like FireFox) untill a vendor patch from Micrsoft is available. For bulletin board administrators
it is highly advised to turn off the "Upload avatar from URL" option untill a patch from the vendor
(phpBB, vBulletin, IPB, and so on...) arrives.

Have a good day.
K-Gen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: IE flaw in image handling...
« Reply #1 on: October 22, 2005, 02:14:03 pm »
This sounds suspiciously like the 'image of doom' exploit that was always concidered a myth, where a seemingly harmless image can execute malicious code.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: IE flaw in image handling...
« Reply #2 on: October 22, 2005, 03:46:54 pm »
This sounds suspiciously like the 'image of doom' exploit that was always concidered a myth, where a seemingly harmless image can execute malicious code.
There are actually several vunerabilities discovered that make that a reality on either Linux or Windows.  The most famous one (at least, for me) was the Windows gif (GDI+) one.  I can't remember the update or anything, but it was scary during the gap between the exploit code and the patch.  We were positive that a worm was going to destroy the Internet by abusing that. 

But anyway,  yeah.  The code won't run if it's in a <img> tag, only if you directly go to the http://ww.....jpg site. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: IE flaw in image handling...
« Reply #3 on: October 22, 2005, 03:55:08 pm »
I know it's been discovered before, I'm just pointing out the similarity between this and that original idea. Chances are, the people who found this were looking for something along those lines.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: IE flaw in image handling...
« Reply #4 on: October 22, 2005, 03:56:41 pm »
If you knew it had been discovered, then why would it have been "always concidered a myth"[sic]?

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: IE flaw in image handling...
« Reply #5 on: October 22, 2005, 06:15:47 pm »
Because I didn't know how to phrase it. I had always heard that "eventually, someone will release a worm that spreads via a harmless image file" and I know there have been exploits reltaed to it, but it wouldn't make sense otherwise.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: IE flaw in image handling...
« Reply #6 on: October 22, 2005, 07:18:02 pm »
I better be careful while looking at  gay por-er motorcycles.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: IE flaw in image handling...
« Reply #7 on: October 23, 2005, 09:37:38 am »
This reminds me of that browser crash exploit that worked on nearly any browser, if not all. (FF included)