Thursday, December 5, 2024
Homecyber securityCritical Vulnerabilities in JPEG 2000 Library Let Attackers Execute Remote Code

Critical Vulnerabilities in JPEG 2000 Library Let Attackers Execute Remote Code

Published on

SIEM as a Service

Exploiting memory corruption vulnerabilities in server-side software often requires knowledge of the binary and environment, which limits the attack surface, especially for unknown binaries and load-balanced environments. 

Successful exploitation is challenging due to the difficulty of preparing the heap and deploying ROP chains without this information. 

Researchers discovered vulnerabilities in the Kakadu JPEG 2000 library, which could potentially allow remote code execution, by developing a technique called “Conditional Corruption” to exploit these vulnerabilities, crafting self-modifying images to achieve the desired impact.

- Advertisement - SIEM as a Service

A technical overview of JPEG 2000, including its vulnerabilities and exploitation strategies, has been provided by using code snippets from Kakadu version 8.41 to illustrate their findings and explain the challenges encountered during exploit development.

Organization of the image
Organization of the image

The JPEG 2000 standard uses boxes to store metadata about an image, such as its dimensions and color information, which are hierarchical, allowing for nested structures.

The actual image data, encoded in the codestream, is typically located within a specific box within the overall file structure.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The Codestream, a sequence of Type-Length-Value containers called Segment Markers, stores image data. Each Segment Marker starts with a unique identifier followed by a length field. 

Tiles, rectangular units within the image, are defined by Start-of-Tile (SOT) and Start-of-Data (SOD) markers, which include a tile index used to calculate its position in the image.

Tile dimensions in the context of the larger image.
Tile dimensions in the context of the larger image.

A vulnerability in Kakadu’s JPEG 2000 decoder that allows for arbitrary file reads by exploiting Codestream fragmentation, which is a variant of TALOS-2017-0309 and caused by an out-of-bounds write on the heap due to signed integer multiplication.

It allows attackers to inject bytes from local files into the codestream of JPX images. By crafting JPX images with specific data references and fragment tables, attackers can exfiltrate bytes from arbitrary files by encoding them within the image’s properties or pixels.

 high-level visualization of the JPX fragmentation
 high-level visualization of the JPX fragmentation

The researchers exploited a vulnerability in JPEG 2000 by manipulating tile data and comment markers to leak sensitive data within an image and used a jump table mechanism to encode leaked bytes into pixel values, allowing for data exfiltration and potential remote code execution.

They found that Kakadu’s default behavior of writing uninitialized tiles with 0x80 data caused unpredictable crashes.

By leveraging the SOT marker’s tile-number parameter, they were able to craft an image that would write only a single tile of controlled data, preventing the 808080 Apocalypse and enabling more reliable and predictable heap overflows.

Visualization of crash fingerprint prevalence over time.
Visualization of crash fingerprint prevalence over time.

The attackers found a reliable heap overflow in Kakadu by exploiting a composition layer extensions box by using a Kha-Kha slide to dynamically determine the object alignment and avoid crashes, increasing exploit reliability. 

Bug Hunter also added a mechanism to check for invalid memory addresses and bail out early, preventing the exploitation of unintended targets. 

Leveraging file-read and memory-read primitives, they executed conditional corruption to reliably target a worker process and gain a write-what-where primitive, which allowed them to locate global variables, hijack control flow, and execute arbitrary code without user impact.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...