Tuesday, December 24, 2024
Homecyber securityCritical Vulnerabilities in JPEG 2000 Library Let Attackers Execute Remote Code

Critical Vulnerabilities in JPEG 2000 Library Let Attackers Execute Remote Code

Published on

SIEM as a Service

Exploiting memory corruption vulnerabilities in server-side software often requires knowledge of the binary and environment, which limits the attack surface, especially for unknown binaries and load-balanced environments. 

Successful exploitation is challenging due to the difficulty of preparing the heap and deploying ROP chains without this information. 

Researchers discovered vulnerabilities in the Kakadu JPEG 2000 library, which could potentially allow remote code execution, by developing a technique called “Conditional Corruption” to exploit these vulnerabilities, crafting self-modifying images to achieve the desired impact.

- Advertisement - SIEM as a Service

A technical overview of JPEG 2000, including its vulnerabilities and exploitation strategies, has been provided by using code snippets from Kakadu version 8.41 to illustrate their findings and explain the challenges encountered during exploit development.

Organization of the image
Organization of the image

The JPEG 2000 standard uses boxes to store metadata about an image, such as its dimensions and color information, which are hierarchical, allowing for nested structures.

The actual image data, encoded in the codestream, is typically located within a specific box within the overall file structure.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The Codestream, a sequence of Type-Length-Value containers called Segment Markers, stores image data. Each Segment Marker starts with a unique identifier followed by a length field. 

Tiles, rectangular units within the image, are defined by Start-of-Tile (SOT) and Start-of-Data (SOD) markers, which include a tile index used to calculate its position in the image.

Tile dimensions in the context of the larger image.
Tile dimensions in the context of the larger image.

A vulnerability in Kakadu’s JPEG 2000 decoder that allows for arbitrary file reads by exploiting Codestream fragmentation, which is a variant of TALOS-2017-0309 and caused by an out-of-bounds write on the heap due to signed integer multiplication.

It allows attackers to inject bytes from local files into the codestream of JPX images. By crafting JPX images with specific data references and fragment tables, attackers can exfiltrate bytes from arbitrary files by encoding them within the image’s properties or pixels.

 high-level visualization of the JPX fragmentation
 high-level visualization of the JPX fragmentation

The researchers exploited a vulnerability in JPEG 2000 by manipulating tile data and comment markers to leak sensitive data within an image and used a jump table mechanism to encode leaked bytes into pixel values, allowing for data exfiltration and potential remote code execution.

They found that Kakadu’s default behavior of writing uninitialized tiles with 0x80 data caused unpredictable crashes.

By leveraging the SOT marker’s tile-number parameter, they were able to craft an image that would write only a single tile of controlled data, preventing the 808080 Apocalypse and enabling more reliable and predictable heap overflows.

Visualization of crash fingerprint prevalence over time.
Visualization of crash fingerprint prevalence over time.

The attackers found a reliable heap overflow in Kakadu by exploiting a composition layer extensions box by using a Kha-Kha slide to dynamically determine the object alignment and avoid crashes, increasing exploit reliability. 

Bug Hunter also added a mechanism to check for invalid memory addresses and bail out early, preventing the exploitation of unintended targets. 

Leveraging file-read and memory-read primitives, they executed conditional corruption to reliably target a worker process and gain a write-what-where primitive, which allowed them to locate global variables, hijack control flow, and execute arbitrary code without user impact.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Latest articles

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...