How an uploaded JPEG or a photo nabbed via smartphone can get a company pwned

Here are two different scenarios that deal with how a photo could get a company pwned; one involves uploading a malicious JPEG and another involves how one photo nabbed via smartphone could take down a company. Both will be presented at the RSA conference.

The Little JPEG That Could Hack Your Organization

During an awareness session at the RSA conference, TrueSec security manager Marcus Murray will demonstrate how an attacker can get around the security mechanisms of a Microsoft Windows Server 2012 R2 by using one specially crafted JPEG. Once an attacker has breached the perimeter, then he or she can move laterally, leveraging elevated privileges until compromising a Windows Server 2012 R2 Domain Controller and thereby pwning the entire domain. RSA posted a quick look of Murray’s “The Little JPEG That Could Hack Your Organization.”

The “live hack” demo shows a real attack that was used against an unnamed government agency; the attackers discovered where profile photos could be uploaded on the site and then exploited that upload function.

Murray shows examples of how the site allows JPEG uploads, only looking for “.jpg” somewhere in the file. Put another way, after renaming a photo by adding .aspx after .jpg, (anonymous.jpg.aspx) and successfully uploading it, the attacker discovered that images and not file extension types were being validated. The webserver saw the JPEG as HTML and the metadata text was readable in the uploaded photo preview page.

With a new goal of inserting dynamic .aspx code into the photo, the attacker could use a simple EXIF (Exchangeable Image File Format) tool that allows hidden metadata embedded in photos to be viewed. This is the same metadata that can contain geotagged locations used by I Can Stalk You to raise awareness about the dangers of not stripping out personally identifiable EXIF info. Murray explained that the attackers inserted “evil code” as a “comment” in the EXIF data and then played with the command line function displayed on the preview page.

But an attacker would want to do something more than just compromise the machine. To demonstrate, Murray opened up his Metasploit Pro Console where the payload handler was waiting for a connection; he inserted a PowerShell command on the compromised server that could run code. It then downloaded Meterpreter code into the memory of the target server.

With that foothold, an attacker could elevate privileges and move laterally to exfiltrate data.

If you are interested, then here is a longer 56-minute video version of Murray’s “little JPEG that could.”

RSA presentation: How one smartphone picture can take down your company

Larry Ponemon, Founder of the Ponemon Institute, will explain “how one smartphone picture can take down your company (pdf).” Earlier this year, the Ponemon Institute published the results of a visual hacking study. Visual hacking is basically a low tech hack like shoulder surfing; in nine of 10 attempts, a white hat hacker was able to “visually hack” sensitive company information. “In 70% of incidences, a visual hacker was not stopped by employees – even when using a cell phone to take a picture of data displayed on a screen.”

The following slide from Ponemon’s presentation shows the percentage of time a white hat hacker was able to visual hack a company.

Some suggested takeaways to protect against low-tech, shoulder-surfing visual hackers included using privacy filters on laptop and mobile devices, ensuring confidential documents are not reviewed in public places or left unattended, not sharing or displaying PII on a screen as it could lead to a phishing attack, as well as “sensitive information is not [to be] verbally discussed while on the phone or in-person.”