WOW. They go to any extent.
Any info on how the code in the EXIF gets executed?
Yep it’s true. Images can contain information, including code. This is not a new invention, it is cloak and dagger stuff. However I’m not really sure if the code can be executed unintentionally, by opening a JPEG for example. My guess, and it is a guess, is that it’s not possible because, do you hear of it happening? If it was possible people would be getting infecting left and right and I haven’t heard of anyone being infected by an image.
JD750 wrote:
Yep it’s true. Images can contain information, including code. This is not a new invention, it is cloak and dagger stuff. However I’m not really sure if the code can be executed unintentionally, by opening a JPEG for example. My guess, and it is a guess, is that it’s not possible because, do you hear of it happening? If it was possible people would be getting infecting left and right and I haven’t heard of anyone being infected by an image.
I wonder if the code in the image is a 'data' and another program that may get downloaded looks for a particular image that may have been saved to get the code?
I believe I read that some of these Trojan Horse photos can execute when opened. This is some years back so I can't recall the details, just a recollection. I don't open photos from Folks I don't know.
quixdraw wrote:
I believe I read that some of these Trojan Horse photos can execute when opened. This is some years back so I can't recall the details, just a recollection. I don't open photos from Folks I don't know.
What makes me suspicious of that is you don't hear about it. With the literally millions of scammers on-line, if it was that easy, it would be happening a lot. However I am not a coding expert so I will defer to someone who is an expert on image formats and execution options.
Yes, but…
From Quora:
"Yes, a specially crafted image can contain executable code. But, it usually has to be targeted to one specific vulnerability in one specific program that contains a programming flaw that allows information in the picture to overwrite information in the program displaying it in a predictable way.
Booby-trapping a picture file is a targeted attack. If the picture is displayed using something other than the program you’re targeting, the payload won’t be executed."
Source:
https://www.quora.com/Can-picture-files-contain-viruses
So what about QR codes then?
Longshadow wrote:
I wonder if the code in the image is a 'data' and another program that may get downloaded looks for a particular image that may have been saved to get the code?
I had to look this up because it is not very common but a very neat trick. The tradecraft I found indicated that it could happen, but the software handling the data (exif) would have to be known. So if the code was written it would need to target a specific software and version where a discovered/known bug existed. So there isn't a one-size fits all method to exploit end users. Exif data is typically read by some sort of software that lacks the ability to make calls to dll files or other system files, which is fortunately a great safety feature that was not intended, but necessary.
The good news is that most (hopefully all by now) antivirus software picks up the php string that could potentially be malicious and stops the call back before it even happens. Additionally, any site that strips metadata and applies compression pretty much nulls out this type of attack instantly.
Also, any respectable and security conscious website provider has patched this vulnerability and does not allow executable files to be uploaded (e.g. picture.php.jpg).
I'll keep playing around with this, because I may include this in some of my training if I can find a more common and foolproof way to launch exploits using it.
But I didn't see where it states how the code in an image gets executed.
What causes the code to run?
If you want to reply, then
register here. Registration is free and your account is created instantly, so you can post right away.