This document contains technical and summary information regarding recent attacks observed by Nettitude utilizing malicious content embedded in a file structured as a Graphics Interchange Format (GIF) image file. On a vulnerable installation, the exploitation process described can result in a complete compromise of the target system, installation of a HTTP (HyperText Transfer Protocol) proxy system and enrolment into a botnet. To be vulnerable to this attack, a webserver running PHP must be exposed to the attacker running an insecure application or a poorly configured hosting environment.
This document contains technical information regarding malicious content found embedded in an image file, which was recently investigated by Nettitude. This file, when uploaded to a vulnerable server, results in the complete or partial compromise of the host. The vulnerabilities targeted by this exploit could be found either entirely within a poorly coded web application, or in a poorly configured hosting environment.
In a typical use-case, the malicious file may by uploaded to a site, as user supplied content. A classic example of this could be allowing the user to specify their own avatar or profile picture. A more business-focused application may come from allowing the user to upload attachments to their content; photographic evidence on insurance claims for example. Once uploaded, if the file is served in its original form the host may be compromised.
[To read the remainder of the report, please fill out the form to get your free copy]