[Mimedefang] RE: JPEG exploit checking in mimedefang-filter

Tue Sep 28 12:28:05 EDT 2004

> I have written a quick and dirty checking for corrupt jpeg files in
> mimedefang-filter. It uses program "djpeg", which should be in most
> Linux and Unices distributions, to convert the file to bitmap writing
> in /dev/null. It lets the file in, if it manages to successfully convert
> it, or rejects it otherwise.
>
> It should catch the latest JPEG virus. At least it catches the sample
> I have found here:
> 	http://www.easynews.com/virus.html
<SNIP>
>     if (re_match($entity, '\.jp(e?)g$') ) {

A few notes regarding the recent snippets scanning for jpeg viruses. First
as it was noted earlier on some mailing list (Bugtraq?) The GDI+ library
does not differentiate file formats based on the extension. It bases them
on the file header. What's the impact? If I rename the virus.jpeg to
virus.bmp, your computer will still catch it and the code below will be
totally bypassed. You need to scan based on the header of the attachment.
Specifically the below code was posted on that site and also addresses the
issue. Now I haven't spiffified it to work with MIMEDefang, but you'll
have to scan the first few bytes of the attachment to determine if it's a
jpeg.

Another note, the virus discussed in this listing isn't a virus persay,
more of a trojan horse. But I'm guessing the countdown timer till we see a
pervasive worm or virus is under 48 hours. Just a thought based on the
visibility of the exploit. I think beating this vulnerability is going to
be more dependant on education of the end user. Lord knows, I've already
talked to my mom ;)

Email is only one vector, what about web? file sharing? Honestly, a
descretly placed jpeg done in the same fashion as those js exploits a
month or two ago would probably be much more devistating than an email
borne virus. Make sure your mother updates her computer!

Snippet from http://www.easynews.com/virus.html:

@stat = stat($file);
$size = $stat[7];
open HANDLE, $file;
sysread(HANDLE, $input, $size);
close HANDLE;
if ($input !~ /^\xff\xd8/) {
        print "not a jpeg\n";
        exit;
}
if ($input =~ /\xff\xfe\x00[\x00\x01]/s) {
        @debug = `djpeg -debug $file 2>&1 > /dev/null`;
        if (grep (/Comment, length \-*[01]:/i, @debug)) {
                print "jpeg has virus\n";
        }
}

<SNIP>
> --
> ...although Eating Honey was a very good thing to do, there was a
> moment just before you began to eat it which was better than when you
> were...
>                                                       Winnie the Pooh

Boy oh boy, that quote is one to ponder... I'll be working on that for
months at least ;)