[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Test an image for GDI+ hack?

Posted on 2004-11-24
Medium Priority
Last Modified: 2010-04-11
Is there a way to test an image to see if it has the GDI+ exploit?  I know how to test if my computer is VULNERABLE for the GDI+ exploit, but that's not what I want.  I want to see if an image is using the exploit.

My firewall is blocking a particular PDF saying: Error: "Attack Info: Malformed JPEG"  

How can I find out if this is a false positive, or if this image really is a hack/exploit?

Question by:shanepresley
  • 2
LVL 11

Expert Comment

ID: 12665485
I think it would be better if you tested before if your system is vulnerable to GDI+, then simply open your image in a test (not production) environment where you did not patch the problem.
LVL 11

Accepted Solution

elbereth21 earned 1500 total points
ID: 12665514
Take also a look ad this excerpt taken from http://www.informit.com/guides/content.asp?g=security&seqNum=52
" At the very beginning of a JPEG file, there is a value that tells the parser if there is comment data included with the jpeg file. If there is no comment, the value is set to '2', or it is higher if there is a comment. If you insert a '1' or '0' in this location, the GDI+ code will use this information and overwrite the stack with data, which may allow an attacker to execute their own code. The following is an example of what the first several bytes of a potentially dangerous jpeg look like:
FF D8       - designated JPEG header
FF E0       - Start of comment section
00 10       - Indicates problem (should be 00 20)
4A 46 49 46       - JFIF

The danger in this is that one day after the vulnerability was posted, an example was released. This simplifies the exploit creation process by giving potential attackers a solid place to start. Windows XP (not SP2) was found to be vulnerable, as well as a collection of other software packages that use this dll to process jpeg images. Note: Antivirus companies are detecting this anomaly and calling it Bloodhound. "

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Experts Exchange expands question security options for members.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question