[PLUG] First JPEG virus is out there

Daggett, Steve Steve.Daggett at fiserv.com
Tue Sep 28 11:01:02 PDT 2004

Bill Thoen asks:
> On Tue, 28 Sep 2004, Paul Heinlein wrote:
> > Image files are parsed and "executed" by various rendering 
> > libraries. 
> > If those libraries don't do proper bounds checking, regardless of 
> > whether the host OS is Windows or Linux, a buffer overflow could 
> > occur.
> So what do the bad guys actually do with a "buffer overflow"? 
> How does that run a virus installer instead of just crashing?

  Basically, any program that accepts an input can be buffer overflowed.
The overflow may contain an executable program, including an FTP client.  

I believe the definitive article is still the original from Phrack.  

	`smash the stack` [C programming] n. On many C implementations
	it is possible to corrupt the execution stack by writing past
	the end of an array declared auto in a routine.  Code that does
	this is said to smash the stack, and can cause return from the
	routine to jump to a random address.  This can produce some of
	the most insidious data-dependent bugs known to mankind.
	Variants include trash the stack, scribble the stack, mangle
	the stack; the term mung the stack is not used, as this is
	never done intentionally. See spam; see also alias bug,
	fandango on core, memory leak, precedence lossage, overrun screw.

Phrack 49
Smashing The Stack For Fun And Profit

Steve D...

More information about the PLUG mailing list