[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[BEATING A NOT QUITE DEAD] Passive Trojan [HORSE] (was:Re: HAZ-MAT virus)



>The key to the success is that the application in question has to be 
>compromised to respond to these codes, either by design or by hacking. 
>Either way the individual responsible must modify the execution 
>mechanism, not just the data itself.

A well-written program is hard to exploit, but badly written programs
can often be exploited in ways that allow execution of untrusted code.
For instance, the fingerd bug exploited so spectacularly by Robert Morris
handed a program more input that it was ready to accept, and the program
stupidly kept writing the input into the array, past the end, and out
into the stack, where it could be later interpreted as executable code.

If a popular GIF or JPEG interpreter was written that badly, you could 
possibly devise a GIF that lies about how big it is and encourages
the program to scribble on its stack.  Now, there probably aren't any
like that, and it'd probably have to be Netscape or MSIE or Lview
to be widespread enough to make an attack like that worthwhile.
(I'd bet on MSIE, of the three of them :-)  Does Microsoft have some sort
of Really Cool Extension to JPEG, allowing Macros for Self-Modifying JPEGs,
trying to out-do Netscape's animated GIFs?)

>Let's see -current examples of computing items with this kind of a 
>"feature"... magic cookies, macros, OLE, DDE, MS Objects, JAVA, and the 
>list keeps growing.

Back when Good Times came out, everyone denied that it was possible
for there to be any risk from a text file (though, as I pointed out,
escape-sequence hacks have been used occasionally for over 15 years),
and not long after that, the MSWord Macro Viruses started appearing.
Bad Code can't always be hacked usefully, but it can always be hacked...

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# <A HREF="http://idiom.com/~wcs"> 	
# You can get PGP software outside the US at ftp.ox.ac.uk/pub/crypto