Skorpinok Rover Posted January 4, 2013 Share Posted January 4, 2013 Hello, I have a very odd question,but i don't have knowledge of this, its bit strange, I have two Virtual machines BT5R3 & Windows XP SP2 running on Vmware Workstation 8, in case if my xp gets infected with backdoors & viruses through penetration testing or visiting warez sites, & if i upload a picture on facebook from same xp machine will my friends pc get virus if they download the same image ? please share with me your views. sorry for my stupidity... Regards Skorpinok Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted January 4, 2013 Share Posted January 4, 2013 I do believe you can not use any malicious pic, jpeg, etc. on Facebook. I could be wrong... but I am nearly certain that the pic would not be able to get uploaded to FB. They use a VS of some sort so you can't send any arbitrary code. But, if the pic went to a link... ;) Quote Link to comment Share on other sites More sharing options...
telot Posted January 4, 2013 Share Posted January 4, 2013 (edited) Theres really no such thing as a malicious jpeg as far as I know. You can have malicious php code that interacts with jpegs, but thats very different. PDFs are an entirely different animal. A simple google search ("malicious pdf" for example) will turn up lots and lots of information on this. telot Edited January 4, 2013 by telot Quote Link to comment Share on other sites More sharing options...
digip Posted January 4, 2013 Share Posted January 4, 2013 Facebook adds its own EXIF data to pictures these days, and would most likely scan images before upload, so trying to say, upload a fake gif header with php data, they would see it (I would hope) but, most machines today, if they are patched and up to date, older malicious image files should not work to infect a system. If they are running say, XP, SP2 without the wmf, tiff, ico and other variuos image file attacks that used to work back in the day, then yes, they may be able to be infected, but I doubt the file would work if uploaded to Facebook, since they modify, compress and add their own exif data tot he files, which would probably destroy any of the malicious code. If the image was linked to from an external site, then yes, its possible to use a metasploit attack if their system is vulnerable, and facebook didn't block access to the external linked image. Most image attacks these days, are used against things like TimThumb though, ie: fake gif header, and rest of file is all php shell script and thats mainly for targetting specific web server flaws and scripts such as TimThumb. Quote Link to comment Share on other sites More sharing options...
Skorpinok Rover Posted January 4, 2013 Author Share Posted January 4, 2013 Thank u all & Digip for this depth of info.. Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted January 5, 2013 Share Posted January 5, 2013 I just got my old HP from 2005 working... lol... Win XP SP2... FTW! :P Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 5, 2013 Share Posted January 5, 2013 Facebook security is pretty tight, so I wouldn't worry too much if your VM was infected. Quote Link to comment Share on other sites More sharing options...
silver-moonshine Posted January 6, 2013 Share Posted January 6, 2013 hey guys i dont know if you guys cought the epesode with steghide , but you can import steghide pictures into facebook , ( Attach text too an image and password protect it) my cover image on facebook has stghide text attached too it with a message in hex on my actual cover photo saying steghide this image and the password on the picture once again in hex :D , nobody so far has got back too me about this :( , obviously dont have the right crowd on facebook lmao Quote Link to comment Share on other sites More sharing options...
silver-moonshine Posted January 6, 2013 Share Posted January 6, 2013 if this is a vonerability , couldint it be possibe too do some sort of memory buffer overflow ?? , Just a thought ?? this may not be possible , but i am sure thiskind of attack does exist :) Quote Link to comment Share on other sites More sharing options...
silver-moonshine Posted January 6, 2013 Share Posted January 6, 2013 http://sphotos-f.ak.fbcdn.net/hphotos-ak-ash4/394986_132663500218383_1296920152_n.jpg :) Quote Link to comment Share on other sites More sharing options...
Skorpinok Rover Posted January 6, 2013 Author Share Posted January 6, 2013 http://sphotos-f.ak.fbcdn.net/hphotos-ak-ash4/394986_132663500218383_1296920152_n.jpg :) :D Wat a Matrix Code LOL !.. or Alien code ? Quote Link to comment Share on other sites More sharing options...
digip Posted January 6, 2013 Share Posted January 6, 2013 http://regex.info/exif.cgi?imgurl=http%3A%2F%2Fsphotos-f.ak.fbcdn.net%2Fhphotos-ak-ash4%2F394986_132663500218383_1296920152_n.jpg Notice the Exif Data. “Facebook's “TINYsRGB”” Some of the remaining original data is still there as well. I can see it was made on an Apple computer. Being its a jpg you can see Facebook added image compression too, which would most likely, change the file in such a way that say, hidden data or even attack data, would probably be changed in the process. "Image compression: 93%" I've uploaded completely uncompressed images to Facebook for clients before, only to see them show up fuzzy and compressed, so I'm fairly certain, data you put in them, will be modified, or changed in such a way would render them useless. PNG's, might be able to get passed without losing say, a hidden message written in the file, since PNG's are losseless image files, but if they resize the image, then they change its structure and would ruin stegonagraphy in an image for example. As far as a virus or malware, some file types can contain them and still work against older systems, but usually require special scripting to make the attack work, which usually target Internet Explorer specifically on older systems. There was a recent GIF image, memory corruption issue for the Opera browser a few months back, but I believe thats been patched, and only effected windows systems. If you run EMET for windows, most it would do is crash Opera without allowing it to execute code though, and I'm not even sure it allowed code execution, as much as it did freeze a browser and DOS your session. Quote Link to comment Share on other sites More sharing options...
silver-moonshine Posted January 6, 2013 Share Posted January 6, 2013 http://regex.info/exif.cgi?imgurl=http%3A%2F%2Fsphotos-f.ak.fbcdn.net%2Fhphotos-ak-ash4%2F394986_132663500218383_1296920152_n.jpgNotice the Exif Data. “Facebook's “TINYsRGB”” Some of the remaining original data is still there as well. I can see it was made on an Apple computer. Being its a jpg you can see Facebook added image compression too, which would most likely, change the file in such a way that say, hidden data or even attack data, would probably be changed in the process. "Image compression: 93%" I've uploaded completely uncompressed images to Facebook for clients before, only to see them show up fuzzy and compressed, so I'm fairly certain, data you put in them, will be modified, or changed in such a way would render them useless. PNG's, might be able to get passed without losing say, a hidden message written in the file, since PNG's are losseless image files, but if they resize the image, then they change its structure and would ruin stegonagraphy in an image for example. As far as a virus or malware, some file types can contain them and still work against older systems, but usually require special scripting to make the attack work, which usually target Internet Explorer specifically on older systems. There was a recent GIF image, memory corruption issue for the Opera browser a few months back, but I believe thats been patched, and only effected windows systems. If you run EMET for windows, most it would do is crash Opera without allowing it to execute code though, and I'm not even sure it allowed code execution, as much as it did freeze a browser and DOS your session. I like the regex info , but i made it in photoshop on a PC not on a mac , i then used steghide too attach my "Message" , I uploaded my image with my steg hide attachment too facebook ( this is the link i provided). on the image if you download it from facebook and extract the steghide message from the image with the passphrase provided on the image , it is all still in one piece, and the file size is the same as it was origionally from before i uploaded it. Quote Link to comment Share on other sites More sharing options...
digip Posted January 6, 2013 Share Posted January 6, 2013 I like the regex info , but i made it in photoshop on a PC not on a mac , i then used steghide too attach my "Message" , I uploaded my image with my steg hide attachment too facebook ( this is the link i provided). on the image if you download it from facebook and extract the steghide message from the image with the passphrase provided on the image , it is all still in one piece, and the file size is the same as it was origionally from before i uploaded it. Thats my bad, I read the ICC color profile wrong. Apple Computer Inc. was the color profile used. Often though, it will also tell you the actual hardware though, like the monitor used, and system, such as Microsoft and if it was on an iMac, HP monitor, etc. All of which can be spoofed too though. I'm surprised the stego info is still intact though, since FB is known to compress jpgs and often resize them, so thats good to know, although I haven't tried decoding the file... Quote Link to comment Share on other sites More sharing options...
Skorpinok Rover Posted January 7, 2013 Author Share Posted January 7, 2013 @digib thank u boss.. cool info.. Quote Link to comment Share on other sites More sharing options...
digip Posted January 7, 2013 Share Posted January 7, 2013 By the way, the info was still in tact on Facebook, I PM'ed him the message and was able to extract it fine from the Facebook image. Suprprised it survived the upload. I know some sites completely mangle images and can't be used to store stgonagraphy in them, but Facebook apparently left that part of the image in tact. I still have my doubts about malware or emebeded binaries, but most images don't run executable code these days in current systems. Older images and file formates could be used to attack Internet Explorer, such as wmf, cursor, ico, tiff and png files (jpgs used to way back in the day) and there was a recent memory corruption issue in Opera that was fixed in the last release, but I'd still be hard pressed to see one make it onto their site that they didn't catch. Who knows, only way is to upload one and find out, and test on an older, unpatched OS and browser. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.