Penetration testing example: exifdata function

SANS pen tester  has an excellent example (guest written by Chris Andre Dale)  and also a new Zero-day Cross Site Scripting(XSS) example at SANS pen testing blog

http://pen-testing.sans.org/blog/pen-testing/2014/12/04/cross-site-scripting-through-file-metedata

 

The vulnerability is based on exif data in jpegs: http://www.digital-photo-secrets.com/tip/38/what-is-exif/

You can view the EXIF data in Windows7 by right clicking on the image, choosing Properties and then the Details tab. This is cumbersome though!

Here are the details of a image shot with a Samsung camera phone.

exifdata

 

this Exifdata  can be used as an atytack vector.

In the post Chris explains that exiftool.exe can be used to change data in the jpeg file (including camera type), but the first thing he does is to look at a number of jpg file data.

He changed a jpeg file to add a javascript that will add a popup when looking at the image. (he tested it) popup said “you’ve been pwned!.

 

Unfortunately it looks like this is only a tame test Chris says: ” In the screenshot above I’ve successfully uploaded an image, by accessing it through its respective attachment page. Remember, I am using a harmless payload, just alerting a text message. This could be a completely stealthy attack payload if I wanted it to be. Let’s dive further into the WordPress finding.”

 

He then proceeded to find a WordPress vulnerability which executes a javascript when an image is brought into WordPress.

This is the result of testing on the Internet:

http://www.embeddedmetadata.org/social-media-test-results.php

The moral of the story is: programmers must sanitize the data (only use data that is needed) otherwise in the future an attacker will use this against you, and slowly attack the site, start to take this seriously or the hackers will pwn your site.

contact us if this does not make sense and we can let you know if your website is vulnerable or not and what you can do to fix it.

2 thoughts on “Penetration testing example: exifdata function”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.