UPDATE: Microsoft Feature Exploited.
Publicated on :
1215194009
update: Sorry I was misinformed, It seems that Microsoft did
not fix[2] the feature in MSIE7 and 8! all versions seems still vulnerable. I cannot confirm this, but it still works in MSIE 6 for certain. I re-wrote the article accordingly.
I read that Microsoft still did not fix the UXSS image issue[1] and now has been found in the wild, being exploited by malware writers. I talked about in early 2007. The attack is pretty easy to perform. Here is how it works, in case you didn't know about it.
First, you create an image. If you have Photoshop which is the quickest way, you can set a watermark inside the image as meta data. Go to File > File info and Inside the copyright notice field you can enter whatever you like. HTML, Javascripts, Iframes that fetch Trojans. To Firefox and Opera users, the image will render normally without any notice. But in Internet Explorer, the image content overrules the image header between content-negotiation. The code inside it's source will be rendered as HTML because HTML is present in it. This has been used plenty of times by malware writers. AV-software vendors had a very hard time to detect it. According to Viruslist[2] Microsoft always dubbed this as a feature. I still have a hard time understanding why this is so, I guess they would coin it a content-negotiation issue. MSIE 6 (7/8?) and lower are still vulnerable.
If you don't have Photoshop, you can also create an Image with a text editor.So we can copy paste one of the following lines which will create a full header for that file type. After the header we just type basic Javascript which we want to execute. Then save the file with image extension, open it in MSIE and be amazed.
GIF:
%137%71%73%70%13%10%26%10%00%00%00%13%00%00%00%01%00%00%00%01<script>alert('NWO');</script>
JPG:
%137%74%80%71%13%10%26%10%00%00%00%13%00%00%00%01%00%00%00%01<script>alert('NWO');</script>
PNG:
%137%80%78%71%13%10%26%10%00%00%00%13%00%00%00%01%00%00%00%01<script>alert('NWO');</script>
GIF decimal header:
G = 71 I = 73 F = 70
JPG decimal header:
J = 74 P = 80 G = 71
PNG decimal header:
P = 80 N = 78 G = 71
Note: these headers aren't really needed, but it's interesting to put them in it or know them. In case of creating an image[1] that still renders correctly in Firefox and Opera, it's better to use Photoshop.
[1] UXSS example image:
http://0x000000.com/images/aye.png
[2]
http://www.viruslist.com/en/weblog?weblogid=208187540
