Data is code

John C. Dvorak recently asked how it is that a simple data file like a Microsoft BMP image can cause an attacker to take control of a Windows computer?

The answer is simple - there is no such thing as data without something to interpret it.

In the case of a BMP file there is a header that precedes the data and which describes how many rows and columns are in the image, how many colors, and a little bit extra information that tells the computer how the file is laid out in memory (the stride).

The header is interpreted by a program and therein lies the trouble. If there is an error in the program that interprets the header, then it is every bit as easy to inject code via a buffer overrun with a BMP file as it is to clobber an input field in a web form.

The situation is considerably more complicated for JPEG images, which expand as they are decompressed. The avenues for error are greatly enhanced because of the complexity of the JPEG algorithm.

But even for a simple BMP file there is plenty of room to screw up the code. For instance, one can easily imagine a poorly formed header that describes an image that is smaller than the actual image data. In this case, it is possible that the program that reads theBMP will not allocate enough storage and the extra data will cause a buffer overrun. It's that simple.

So while the BMP format is very simple, actually writing a robust program to ensure zero errors is not as simple, and in the days before security became paramount, such programs would be common. If the program was given bad data it would probably crash. But these days, attackers give such programs very carefully contrived data that screws around with the memory layout of the program that is interpreting the BMP file, thus avoiding a crash but still causing unplanned behavior.

So there you go - that's how a BMP file can be exploited by an attacker.

It's so simple it's really kind of frightening, because interpreting most other file formats is enormously more complicated, and the number of possible errors is just frickin' huge.

Buy Nano-Plasm Soft Cover
© 2005-2008 Stephen Clarke-Willson, Ph.D. - All Rights Reserved.