Thursday, June 07, 2007

Vulnerability using .gif files

I was talking to my boss about the possibility of an Omniture hack:

He stated that he's reviewed the code and all they are doing is downloading gif files, and that Omniture is used by large sites like CNN, Amazon and Sun. (Implication: if they use it it must be secure).

My response was: that makes them a great target. Look at the pot of gold at the other end of the rainbow. There are huge user bases for these sites plus people testing and reviewing the code at these companies behind firewalls...

So anyway I said what if the execution of malicious code is in the gif files, not in the JavaScript itself? And my boss says no, they are just simple gif files.

So I thought well, I've seen hacks in image files before let's see what's out there. And I found this:

Microsoft Office Remote Code Execution Using a Malformed GIF Vulnerability - CVE-2006-1540A remote code execution vulnerability exists in Office using a GIF file. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

And guess what. If someone could get this onto the Sun web site, that is where everyone goes to download Java - on servers that run e-commerce web sites, application servers, etc. You get the picture.

I have no idea how to test this theory. Maybe someone out there can just verify nothing funky is going on...